Add TLS-PSK authentication support via callback mechanism

This adds support for TLS Pre-Shared Key (PSK) authentication, allowing
secure connections without certificates using a shared secret key.

Changes:
- Add psk_cred_handler() builder method to create_webserver
- Add psk_cred_handler_callback typedef for PSK credential lookup
- Implement psk_cred_handler_func() static callback using GnuTLS
- Add MHD_OPTION_GNUTLS_PSK_CRED_HANDLER option when PSK is configured
- Add AM_CONDITIONAL for HAVE_GNUTLS in configure.ac
- Remove deprecated AC_HEADER_STDC macro
- Add minimal_https_psk example demonstrating PSK usage
- Add conditional GnuTLS linking in test/Makefile.am
- Update README.md with PSK documentation and example

The callback receives a username and returns the hex-encoded PSK,
or an empty string for unknown users.

Author: etr

README.md

@@ -313,6 +313,7 @@ You can also check this example on [github](https://github.com/etr/libhttpserver
 * _.https_mem_cert(**const std::string&** filename):_ String representing the path to a file containing the certificate to be used by the HTTPS daemon. This must be used in conjunction with `https_mem_key`.
 * _.https_mem_trust(**const std::string&** filename):_ String representing the path to a file containing the CA certificate to be used by the HTTPS daemon to authenticate and trust clients certificates. The presence of this option activates the request of certificate to the client. The request to the client is marked optional, and it is the responsibility of the server to check the presence of the certificate if needed. Note that most browsers will only present a client certificate only if they have one matching the specified CA, not sending any certificate otherwise.
 * _.https_priorities(**const std::string&** priority_string):_ SSL/TLS protocol version and ciphers. Must be followed by a string specifying the SSL/TLS protocol versions and ciphers that are acceptable for the application. The string is passed unchanged to gnutls_priority_init. If this option is not specified, `"NORMAL"` is used.
+* _.psk_cred_handler(**psk_cred_handler_callback** handler):_ Sets a callback function for TLS-PSK (Pre-Shared Key) authentication. The callback receives a username and should return the corresponding hex-encoded PSK, or an empty string if the user is unknown. This option requires `use_ssl()`, `cred_type(http::http_utils::PSK)`, and an appropriate `https_priorities()` string that enables PSK cipher suites. PSK authentication allows TLS without certificates by using a shared secret key.
 
 #### Minimal example using HTTPS
 ```cpp
@@ -346,6 +347,59 @@ To test the above example, you can run the following command from a terminal:
 
 You can also check this example on [github](https://github.com/etr/libhttpserver/blob/master/examples/minimal_https.cpp).
 
+#### Minimal example using TLS-PSK
+```cpp
+    #include <httpserver.hpp>
+    #include <map>
+    #include <string>
+
+    using namespace httpserver;
+
+    // Simple PSK database - in production, use secure storage
+    std::map<std::string, std::string> psk_database = {
+        {"client1", "0123456789abcdef0123456789abcdef"},
+        {"client2", "fedcba9876543210fedcba9876543210"}
+    };
+
+    // PSK credential handler callback
+    std::string psk_handler(const std::string& username) {
+        auto it = psk_database.find(username);
+        if (it != psk_database.end()) {
+            return it->second;
+        }
+        return "";  // Return empty string for unknown users
+    }
+
+    class hello_world_resource : public http_resource {
+    public:
+        std::shared_ptr<http_response> render(const http_request&) {
+            return std::shared_ptr<http_response>(
+                new string_response("Hello, World (via TLS-PSK)!"));
+        }
+    };
+
+    int main(int argc, char** argv) {
+        webserver ws = create_webserver(8080)
+            .use_ssl()
+            .cred_type(http::http_utils::PSK)
+            .psk_cred_handler(psk_handler)
+            .https_priorities("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+PSK:+DHE-PSK");
+
+        hello_world_resource hwr;
+        ws.register_resource("/hello", &hwr);
+        ws.start(true);
+
+        return 0;
+    }
+```
+To test the above example, you can run the following command from a terminal using gnutls-cli:
+
+    gnutls-cli --pskusername=client1 --pskkey=0123456789abcdef0123456789abcdef -p 8080 localhost
+
+Then type `GET /hello HTTP/1.1` followed by `Host: localhost` and two newlines.
+
+You can also check this example on [github](https://github.com/etr/libhttpserver/blob/master/examples/minimal_https_psk.cpp).
+
 ### IP Blacklisting/Whitelisting
 libhttpserver supports IP blacklisting and whitelisting as an internal feature. This section explains the startup options related with IP blacklisting/whitelisting. See the [specific section](#ip-blacklisting-and-whitelisting) to read more about the topic.
 * _.ban_system() and .no_ban_system:_ Can be used to enable/disable the ban system. `on` by default.

configure.ac

@@ -83,7 +83,6 @@ case "$host" in
 esac
 
 # Checks for header files.
-AC_HEADER_STDC
 AC_CHECK_HEADER([stdint.h],[],[AC_MSG_ERROR("stdint.h not found")])
 AC_CHECK_HEADER([inttypes.h],[],[AC_MSG_ERROR("inttypes.h not found")])
 AC_CHECK_HEADER([errno.h],[],[AC_MSG_ERROR("errno.h not found")])
@@ -250,6 +249,8 @@ if test x"$have_gnutls" = x"yes"; then
     AM_CFLAGS="$AM_CXXFLAGS -DHAVE_GNUTLS"
 fi
 
+AM_CONDITIONAL([HAVE_GNUTLS],[test x"$have_gnutls" = x"yes"])
+
 DX_HTML_FEATURE(ON)
 DX_CHM_FEATURE(OFF)
 DX_CHI_FEATURE(OFF)

examples/Makefile.am

@@ -42,3 +42,9 @@ benchmark_select_SOURCES = benchmark_select.cpp
 benchmark_threads_SOURCES = benchmark_threads.cpp
 benchmark_nodelay_SOURCES = benchmark_nodelay.cpp
 file_upload_SOURCES = file_upload.cpp
+
+if HAVE_GNUTLS
+noinst_PROGRAMS += minimal_https_psk
+minimal_https_psk_SOURCES = minimal_https_psk.cpp
+minimal_https_psk_LDADD = $(LDADD) -lgnutls
+endif

examples/minimal_https_psk.cpp

@@ -0,0 +1,63 @@
+/*
+     This file is part of libhttpserver
+     Copyright (C) 2011-2024 Sebastiano Merlino
+
+     This library is free software; you can redistribute it and/or
+     modify it under the terms of the GNU Lesser General Public
+     License as published by the Free Software Foundation; either
+     version 2.1 of the License, or (at your option) any later version.
+
+     This library is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Lesser General Public License for more details.
+
+     You should have received a copy of the GNU Lesser General Public
+     License along with this library; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+     USA
+*/
+
+#include <map>
+#include <memory>
+#include <string>
+
+#include <httpserver.hpp>
+
+// Simple PSK database - in production, use secure storage
+std::map<std::string, std::string> psk_database = {
+    {"client1", "0123456789abcdef0123456789abcdef"},
+    {"client2", "fedcba9876543210fedcba9876543210"}
+};
+
+// PSK credential handler callback
+// Returns the hex-encoded PSK for the given username, or empty string if not found
+std::string psk_handler(const std::string& username) {
+    auto it = psk_database.find(username);
+    if (it != psk_database.end()) {
+        return it->second;
+    }
+    return "";  // Return empty string for unknown users
+}
+
+class hello_world_resource : public httpserver::http_resource {
+ public:
+    std::shared_ptr<httpserver::http_response> render(const httpserver::http_request&) {
+        return std::shared_ptr<httpserver::http_response>(
+            new httpserver::string_response("Hello, World (via TLS-PSK)!"));
+    }
+};
+
+int main() {
+    httpserver::webserver ws = httpserver::create_webserver(8080)
+        .use_ssl()
+        .cred_type(httpserver::http::http_utils::PSK)
+        .psk_cred_handler(psk_handler)
+        .https_priorities("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+PSK:+DHE-PSK");
+
+    hello_world_resource hwr;
+    ws.register_resource("/hello", &hwr);
+    ws.start(true);
+
+    return 0;
+}

src/httpserver/create_webserver.hpp

@@ -46,6 +46,7 @@ typedef std::function<std::shared_ptr<http_response>(const http_request&)> rende
 typedef std::function<bool(const std::string&)> validator_ptr;
 typedef std::function<void(const std::string&)> log_access_ptr;
 typedef std::function<void(const std::string&)> log_error_ptr;
+typedef std::function<std::string(const std::string&)> psk_cred_handler_callback;
 
 class create_webserver {
  public:
@@ -223,6 +224,11 @@ class create_webserver {
          return *this;
      }
 
+     create_webserver& psk_cred_handler(psk_cred_handler_callback handler) {
+         _psk_cred_handler = handler;
+         return *this;
+     }
+
      create_webserver& digest_auth_random(const std::string& digest_auth_random) {
          _digest_auth_random = digest_auth_random;
          return *this;
@@ -384,6 +390,7 @@ class create_webserver {
      std::string _https_mem_trust = "";
      std::string _https_priorities = "";
      http::http_utils::cred_type_T _cred_type = http::http_utils::NONE;
+     psk_cred_handler_callback _psk_cred_handler = nullptr;
      std::string _digest_auth_random = "";
      int _nonce_nc_size = 0;
      http::http_utils::policy_T _default_policy = http::http_utils::ACCEPT;

src/httpserver/webserver.hpp

@@ -45,6 +45,10 @@
 #include <set>
 #include <string>
 
+#ifdef HAVE_GNUTLS
+#include <gnutls/gnutls.h>
+#endif  // HAVE_GNUTLS
+
 #include "httpserver/http_utils.hpp"
 #include "httpserver/create_webserver.hpp"
 #include "httpserver/details/http_endpoint.hpp"
@@ -153,6 +157,7 @@ class webserver {
      const std::string https_mem_trust;
      const std::string https_priorities;
      const http::http_utils::cred_type_T cred_type;
+     const psk_cred_handler_callback psk_cred_handler;
      const std::string digest_auth_random;
      const int nonce_nc_size;
      bool running;
@@ -210,6 +215,12 @@ class webserver {
 
      MHD_Result complete_request(MHD_Connection* connection, struct details::modded_request* mr, const char* version, const char* method);
 
+#ifdef HAVE_GNUTLS
+     static int psk_cred_handler_func(gnutls_session_t session,
+                                       const char* username,
+                                       gnutls_datum_t* key);
+#endif  // HAVE_GNUTLS
+
      friend MHD_Result policy_callback(void *cls, const struct sockaddr* addr, socklen_t addrlen);
      friend void error_log(void* cls, const char* fmt, va_list ap);
      friend void access_log(webserver* cls, std::string uri);

src/webserver.cpp

@@ -142,6 +142,7 @@ webserver::webserver(const create_webserver& params):
     https_mem_trust(params._https_mem_trust),
     https_priorities(params._https_priorities),
     cred_type(params._cred_type),
+    psk_cred_handler(params._psk_cred_handler),
     digest_auth_random(params._digest_auth_random),
     nonce_nc_size(params._nonce_nc_size),
     running(false),
@@ -276,6 +277,11 @@ bool webserver::start(bool blocking) {
     if (cred_type != http_utils::NONE) {
         iov.push_back(gen(MHD_OPTION_HTTPS_CRED_TYPE, cred_type));
     }
+
+    if (psk_cred_handler != nullptr && use_ssl) {
+        iov.push_back(gen(MHD_OPTION_GNUTLS_PSK_CRED_HANDLER,
+                          (intptr_t)&psk_cred_handler_func, this));
+    }
 #endif  // HAVE_GNUTLS
 
     iov.push_back(gen(MHD_OPTION_END, 0, nullptr));
@@ -396,6 +402,43 @@ void webserver::disallow_ip(const string& ip) {
     allowances.erase(ip_representation(ip));
 }
 
+#ifdef HAVE_GNUTLS
+int webserver::psk_cred_handler_func(gnutls_session_t session,
+                                      const char* username,
+                                      gnutls_datum_t* key) {
+    webserver* ws = static_cast<webserver*>(
+        gnutls_session_get_ptr(session));
+
+    if (ws == nullptr || ws->psk_cred_handler == nullptr) {
+        return -1;
+    }
+
+    std::string psk_hex = ws->psk_cred_handler(std::string(username));
+    if (psk_hex.empty()) {
+        return -1;
+    }
+
+    // Convert hex string to binary
+    size_t psk_len = psk_hex.size() / 2;
+    key->data = static_cast<unsigned char*>(gnutls_malloc(psk_len));
+    if (key->data == nullptr) {
+        return -1;
+    }
+
+    size_t output_size = psk_len;
+    int ret = gnutls_hex2bin(psk_hex.c_str(), psk_hex.size(),
+                             key->data, &output_size);
+    if (ret < 0) {
+        gnutls_free(key->data);
+        key->data = nullptr;
+        return -1;
+    }
+
+    key->size = static_cast<unsigned int>(output_size);
+    return 0;
+}
+#endif  // HAVE_GNUTLS
+
 MHD_Result policy_callback(void *cls, const struct sockaddr* addr, socklen_t addrlen) {
     // Parameter needed to respect MHD interface, but not needed here.
     std::ignore = addrlen;

test/Makefile.am

@@ -39,6 +39,10 @@ http_resource_SOURCES = unit/http_resource_test.cpp
 noinst_HEADERS = littletest.hpp
 AM_CXXFLAGS += -lcurl -Wall -fPIC
 
+if HAVE_GNUTLS
+AM_CXXFLAGS += -lgnutls
+endif
+
 if COND_GCOV
 AM_CFLAGS += -O0 --coverage --no-inline
 AM_CXXFLAGS += -O0 --coverage --no-inline