Skip to content

Add TLS-PSK authentication support via callback mechanism#348

Merged
etr merged 12 commits intomasterfrom
feature/tls-psk-support
Jan 27, 2026
Merged

Add TLS-PSK authentication support via callback mechanism#348
etr merged 12 commits intomasterfrom
feature/tls-psk-support

Conversation

@etr
Copy link
Owner

@etr etr commented Jan 27, 2026

Requirements for Adding, Changing, or Removing a Feature

  • Fill out the template below. Any pull request that does not include enough information to be reviewed in a timely manner may be closed at the maintainers' discretion.
  • The pull request must contribute a change that has been endorsed by the maintainer team. See details in the template below.
  • The pull request must update the test suite to exercise the updated functionality.
  • After you create the pull request, all status checks must be pass before a maintainer reviews your contribution. For more details, please see https://github.com/etr/libhttpserver/tree/master/CONTRIBUTING.md#pull-requests.

Issue or RFC Endorsed by Maintainers

Supersedes #333 - reimplementation with merge conflicts resolved.

Description of the Change

This PR adds TLS-PSK (Pre-Shared Key) authentication support to libhttpserver via a callback mechanism. PSK allows secure TLS connections without certificates by using a shared secret key.

Key changes:

  • Add psk_cred_handler_callback typedef: std::function<std::string(const std::string&)>
  • Add psk_cred_handler() builder method to create_webserver
  • Implement psk_cred_handler_func() static callback that integrates with GnuTLS
  • Add MHD_OPTION_GNUTLS_PSK_CRED_HANDLER option when PSK is configured
  • Add AM_CONDITIONAL([HAVE_GNUTLS],...) for conditional compilation in Makefiles
  • Remove deprecated AC_HEADER_STDC macro from configure.ac

Usage:

std::string psk_handler(const std::string& username) {
    if (username == "client1") return "0123456789abcdef";  // hex-encoded PSK
    return "";  // empty = reject
}

webserver ws = create_webserver(8080)
    .use_ssl()
    .cred_type(http::http_utils::PSK)
    .psk_cred_handler(psk_handler)
    .https_priorities("NORMAL:+PSK:+DHE-PSK");

Alternate Designs

The callback could return binary data instead of hex-encoded strings, but hex encoding was chosen for simplicity and to match the common PSK representation format used by tools like gnutls-cli.

Possible Drawbacks

  • Requires GnuTLS to be available at compile time (guarded by HAVE_GNUTLS)
  • PSK is less common than certificate-based TLS, so this adds complexity for a niche use case

Verification Process

  • Built with GnuTLS enabled: ./bootstrap && mkdir build && cd build && ../configure && make
  • All 12 existing tests pass: make check
  • New code passes cpplint style checks
  • Added minimal_https_psk example demonstrating the feature

Release Notes

Added TLS-PSK (Pre-Shared Key) authentication support via the new psk_cred_handler() builder method, allowing secure connections without certificates.

etr and others added 12 commits January 26, 2026 16:31
@etr
Add TLS-PSK authentication support via callback mechanism
18bc625 
This adds support for TLS Pre-Shared Key (PSK) authentication, allowing
secure connections without certificates using a shared secret key.

Changes:
- Add psk_cred_handler() builder method to create_webserver
- Add psk_cred_handler_callback typedef for PSK credential lookup
- Implement psk_cred_handler_func() static callback using GnuTLS
- Add MHD_OPTION_GNUTLS_PSK_CRED_HANDLER option when PSK is configured
- Add AM_CONDITIONAL for HAVE_GNUTLS in configure.ac
- Remove deprecated AC_HEADER_STDC macro
- Add minimal_https_psk example demonstrating PSK usage
- Add conditional GnuTLS linking in test/Makefile.am
- Update README.md with PSK documentation and example

The callback receives a username and returns the hex-encoded PSK,
or an empty string for unknown users.
@etr
Update GitHub Actions to v4 (cache and checkout)
90383a1
@etr
Fix linker error: link all examples against gnutls when available
47530ed 
The library now uses GnuTLS functions (gnutls_malloc, gnutls_free,
gnutls_hex2bin) for PSK support, so all examples need to link against
gnutls when HAVE_GNUTLS is defined, not just the PSK example.
@etr @claude
Update CI for Ubuntu 24.04 compatibility
f5df683 
- Update sanitizer builds (asan, lsan, tsan, ubsan) from clang-13 to clang-18
- Move clang-11, clang-12, clang-13 tests to ubuntu-22.04
- Add new clang-14 through clang-17 tests on ubuntu-latest
- Add gcc-11 through gcc-14 tests
- Remove obsolete ubuntu-20.04 jobs (gcc-7, gcc-8, clang-6 through clang-10)
- Update IWYU job to use clang-18 on ubuntu-latest
- Fix cpplint errors: add missing includes and fix namespace indentation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@etr @claude
Fix valgrind CI job for Ubuntu 24.04
e78b6cc 
- Remove valgrind-dbg package (debug symbols now included in main package)
- Update valgrind job to use GCC 14 instead of GCC 10

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@etr @claude
Use GCC 13 for valgrind job to avoid -Woverloaded-virtual error
6e6bc9f 
GCC 14 with -Werror catches a latent warning in littletest.hpp test
framework that older compilers don't flag. Use GCC 13 for now.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@etr
Fix issues with valgrind running on g++-14
b180794
@etr
FIx issue with overloads in tests
d8ec8ed
@etr
Fix issue with gnutls
198a201
@etr
Fix all cpplint issues
b50b804
@etr
Added codacy suppressions
c1baab1
@etr
No need for codacy yaml. It is configured via UI
9c5a591
@etr etr merged commit f15a7b0 into master Jan 27, 2026
38 checks passed
@etr etr mentioned this pull request Jan 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@etr