|
"source": "// Written by retoor@molodetz.nl\n\n// The source code provides functionality for making HTTP POST and GET requests over SSL/TLS using OpenSSL. It includes initialization and cleanup of the OpenSSL library, creation of SSL context, socket creation and connection, and sending requests with handling responses. Furthermore, it interfaces with JSON and handles authentication using an external \"auth.h\" file.\n\n// Includes: \"auth.h\", <json-c/json.h>\n\n// MIT License\n\n#ifndef CALPACA_HTTP_H\n#define CALPACA_HTTP_H\n\n#include <stdio.h>\n#include <string.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <arpa/inet.h>\n#include <netdb.h>\n#include <openssl/ssl.h>\n#include <openssl/err.h>\n#include \"auth.h\"\n#include <json-c/json.h>\n\nvoid init_openssl() {\n SSL_load_error_strings();\n OpenSSL_add_ssl_algorithms();\n}\n\nvoid cleanup_openssl() {\n EVP_cleanup();\n}\n\nSSL_CTX *create_context() {\n const SSL_METHOD *method = TLS_method();\n SSL_CTX *ctx = SSL_CTX_new(method);\n SSL_CTX_load_verify_locations(ctx, \"/etc/ssl/certs/ca-certificates.crt\", NULL);\n\n return ctx;\n}\n\nSSL_CTX *create_context2() {\n const SSL_METHOD *method = TLS_client_method();\n SSL_CTX *ctx = SSL_CTX_new(method);\n if (!ctx) {\n perror(\"Unable to create SSL context\");\n ERR_print_errors_fp(stderr);\n exit(EXIT_FAILURE);\n }\n\n return ctx;\n}\n\nint create_socket(const char *hostname, int port) {\n struct hostent *host;\n struct sockaddr_in addr;\n\n host = gethostbyname(hostname);\n if (!host) {\n perror(\"Unable to resolve host\");\n exit(EXIT_FAILURE);\n }\n\n int sock = socket(AF_INET, SOCK_STREAM, 0);\n if (sock < 0) {\n perror(\"Unable to create socket\");\n exit(EXIT_FAILURE);\n }\n\n addr.sin_family = AF_INET;\n addr.sin_port = htons(port);\n addr.sin_addr.s_addr = *(long *)(host->h_addr);\n\n if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) {\n perror(\"Unable to connect to host\");\n close(sock);\n exit(EXIT_FAILURE);\n }\n\n return sock;\n}\n\nchar *http_post(const char *hostname, char *url, char *data) {\n init_openssl();\n int port = 443;\n SSL_CTX *ctx = create_context();\n int sock = create_socket(hostname, port);\n SSL *ssl = SSL_new(ctx);\n SSL_set_connect_state(ssl);\n SSL_set_tlsext_host_name(ssl, hostname);\n SSL_set_fd(ssl, sock);\n\n int buffer_size = 4096;\n char *buffer = malloc(buffer_size);\n \n if (SSL_connect(ssl) <= 0) {\n ERR_print_errors_fp(stderr);\n } else {\n size_t len = strlen(data);\n char *request = malloc(len + 4096);\n sprintf(request,\n \"POST %s HTTP/1.1\\r\\n\"\n \"Content-Length: %ld\\r\\n\"\n \"Content-Type: application/json\\r\\n\"\n \"Host: api.openai.com\\r\\n\"\n \"Authorization: Bearer %s\\r\\n\"\n \"Connection: close\\r\\n\\r\\n%s\",\n url, len, api_key, data);\n \n SSL_write(ssl, request, strlen(request));\n free(request);\n\n int bytes;\n int bytes_total = 0;\n while ((bytes = SSL_read(ssl, buffer + bytes_total, buffer_size - 1)) > 0) {\n bytes_total += bytes;\n buffer = realloc(buffer, bytes_total + buffer_size);\n buffer[bytes_total] = '\\0';\n }\n }\n\n SSL_free(ssl);\n close(sock);\n SSL_CTX_free(ctx);\n cleanup_openssl();\n \n return buffer;\n}\n\nchar *http_get(const char *hostname, char *url) {\n init_openssl();\n int port = 443;\n SSL_CTX *ctx = create_context();\n int sock = create_socket(hostname, port);\n SSL *ssl = SSL_new(ctx);\n SSL_set_connect_state(ssl);\n SSL_set_tlsext_host_name(ssl, hostname);\n SSL_set_fd(ssl, sock);\n\n int buffer_size = 4096;\n char *buffer = malloc(buffer_size);\n\n if (SSL_connect(ssl) <= 0) {\n ERR_print_errors_fp(stderr);\n } else {\n char request[buffer_size];\n sprintf(request,\n \"GET %s HTTP/1.1\\r\\n\"\n \"Host: api.openai.com\\r\\n\"\n \"Authorization: Bearer %s\\r\\n\"\n \"Connection: close\\r\\n\\r\\n\",\n url, api_key);\n\n SSL_write(ssl, request, strlen(request));\n\n int bytes;\n int bytes_total = 0;\n while ((bytes = SSL_read(ssl, buffer + bytes_total, buffer_size - 1)) > 0) {\n bytes_total += bytes;\n buffer = realloc(buffer, bytes_total + buffer_size);\n buffer[bytes_total] = '\\0';\n }\n }\n\n SSL_free(ssl);\n close(sock);\n SSL_CTX_free(ctx);\n cleanup_openssl();\n\n return buffer;\n}\n#endif",
|
|
"review": "# 6\n\n## Bugs\n- `create_context` and `create_context2` functions are redundant; however, only `create_context2` performs error checking, which is crucial.\n- Use of `gethostbyname` is deprecated; it should be replaced with more modern alternatives like `getaddrinfo`.\n- `api_key` is used within `http_post` and `http_get` functions without being defined in the code.\n- Risk of memory leak when reallocating the buffer if `realloc` fails, the original buffer is not freed, and the system would have reduced memory.\n- `close(sock)` does not check for errors.\n\n## Optimizations\n- Consolidate `create_context` and `create_context2` into a single function to avoid redundancy and potential maintenance issues.\n- Use `getaddrinfo` instead of `gethostbyname` for better compatibility and thread safety.\n- Include proper error handling if `realloc` fails to make efficient memory management.\n- Specify size when using `malloc` or `realloc` for buffer to enhance readability and maintenance.\n- Use `snprintf` instead of `sprintf` to avoid buffer overflow vulnerabilities.\n\n## Good points\n- Proper initialization and cleanup of OpenSSL.\n- Effective use of OpenSSL APIs to set up TLS/SSL connections.\n- Clear function separation for handling different tasks like initializing SSL, creating sockets, and managing HTTP requests.\n- Usage of dynamic memory management for buffer handling shows good understanding.\n\n## Summary\nThe code demonstrates an understanding of OpenSSL API for creating secure HTTP connections over SSL/TLS, and effectively segregates the key functionalities. However, there are a few significant issues that need addressing, including handling deprecated functions, managing possible memory leaks, and ensuring error checking across all parts of the code. The use of global `api_key` is problematic since its source isn't evident within the code snippet. Memory handling and duplication of functions are areas where optimizations could significantly enhance the robustness and efficiency of the code.\n\n## Open source alternatives\n- **Libcurl**: A widely used library that offers a simple and consistent API for making HTTP requests, supporting a variety of protocols and features including SSL/TLS.\n- **Boost.Beast**: This C++ library is part of the Boost collection, providing an HTTP and WebSocket client and server built on top of Boost.Asio. It offers SSL/TLS support via OpenSSL.\n- **HttpClient in Poco**: The POCO C++ Libraries offer components that simplify HTTP/S communications, including robust support for SSL/TLS.",
|