proxy_role/overlay/Linux/usr/local/bin/proxy_curl_lib.bash

402 lines
11 KiB
Bash
Raw Normal View History

2024-01-06 01:57:28 +00:00
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
for no in "${CLOUDFN[@]}" ; do
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDFN[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
## proxy_ami_nottlsv3
proxy_ami_nottlsv3() {
[ $# -gt 0 ] || return 1
local site=$1
for no in "${NOTLSV3[@]}" ; do
[[ $site =~ $no ]] && echo True && return 0
done
echo False
return 0
}
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
# forbidden
download.nvidia.com
# 500
www.x.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/13
104.24.0.0/14
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
)
#for no in "${CLOUDFN[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
declare -a SSL_ALERT_CODES
# B.2. Alert Messages
SSL_ALERT_CODES=(
[0]="close_notify"
[10]="unexpected_message"
[20]="bad_record_mac"
[21]="decryption_failed_RESERVED"
[22]="record_overflow"
[30]="decompression_failure_RESERVED"
[40]="handshake_failure"
[41]="no_certificate_RESERVED"
[42]="bad_certificate"
[43]="unsupported_certificate"
[44]="certificate_revoked"
[45]="certificate_expired"
[46]="certificate_unknown"
[47]="illegal_parameter"
[48]="unknown_ca"
[49]="access_denied"
[50]="decode_error"
[51]="decrypt_error"
[60]="export_restriction_RESERVED"
[70]="protocol_version"
[71]="insufficient_security"
[80]="internal_error"
[86]="inappropriate_fallback"
[90]="user_canceled"
[100]="no_renegotiation_RESERVED"
[109]="missing_extension"
[110]="unsupported_extension"
[111]="certificate_unobtainable_RESERVED"
[112]="unrecognized_name"
[113]="bad_certificate_status_response"
[114]="bad_certificate_hash_value_RESERVED"
[115]="unknown_psk_identity"
[116]="certificate_required"
[120]="no_application_protocol"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi