#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-

ROLE=proxy

. /usr/local/bin/usr_local_tput.bash || exit 2

## proxy_ami_cloudflared
proxy_ami_cloudflared() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
    # a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
    # https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
    for no in "${CLOUDF[@]}" ; do
	nopat=`sed -e 's/\.0.*//' <<< $no`
	[[ $ip =~ ${nopat}.* ]] && {
	    # WARN $url cloudflared $ip $no
	    echo True
	    return 0
	    }
    done
    echo False
    return 0
}
	
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
    [ $# -gt 0 ] || return 1
    local ip=$1
    a=`proxy_ami_cloudflared $ip`
    if [ $? -eq 0 -a "$a" = True ] ; then
	echo $a
	return 0
    fi
    
    for no in "${CLOUDF[@]}" ; do
	a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
	if [ $? -eq 0 -a "$a" = True ] ; then
	    echo $a
	    return 0
	fi
    done
    echo False
    return 0
}

# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
	[0]=OK
	[1]=ERR_UNSPECIFIED
	[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
	[3]=ERR_UNABLE_TO_GET_CRL
	[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
	[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
	[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
	[7]=ERR_CERT_SIGNATURE_FAILURE
	[8]=ERR_CRL_SIGNATURE_FAILURE
	[9]=ERR_CERT_NOT_YET_VALID
	[10]=ERR_CERT_HAS_EXPIRED
	[11]=ERR_CRL_NOT_YET_VALID
	[12]=ERR_CRL_HAS_EXPIRED
	[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
	[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
	[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
	[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
	[17]=ERR_OUT_OF_MEM
	[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
	[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
	[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
	[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
	[22]=ERR_CERT_CHAIN_TOO_LONG
	[23]=ERR_CERT_REVOKED
	[24]=ERR_INVALID_CA
	[25]=ERR_PATH_LENGTH_EXCEEDED
	[26]=ERR_INVALID_PURPOSE
	[27]=ERR_CERT_UNTRUSTED
	[28]=ERR_CERT_REJECTED
	# These are 'informational' when looking for issuer cert
	[29]=ERR_SUBJECT_ISSUER_MISMATCH
	[30]=ERR_AKID_SKID_MISMATCH
	[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
	[32]=ERR_KEYUSAGE_NO_CERTSIGN
	[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
	[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
	[35]=ERR_KEYUSAGE_NO_CRL_SIGN
	[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
	[37]=ERR_INVALID_NON_CA
	[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
	[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
	[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
	[41]=ERR_INVALID_EXTENSION
	[42]=ERR_INVALID_POLICY_EXTENSION
	[43]=ERR_NO_EXPLICIT_POLICY
	[44]=ERR_DIFFERENT_CRL_SCOPE
	[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
	[46]=ERR_UNNESTED_RESOURCE
	[47]=ERR_PERMITTED_VIOLATION
	[48]=ERR_EXCLUDED_VIOLATION
	[49]=ERR_SUBTREE_MINMAX
	# The application is not happy
	[50]=ERR_APPLICATION_VERIFICATION
	[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
	[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
	[53]=ERR_UNSUPPORTED_NAME_SYNTAX
	[54]=ERR_CRL_PATH_VALIDATION_ERROR
	# Another issuer check debug option
	[55]=ERR_PATH_LOOP
	# Suite B mode algorithm violation
	[56]=ERR_SUITE_B_INVALID_VERSION
	[57]=ERR_SUITE_B_INVALID_ALGORITHM
	[58]=ERR_SUITE_B_INVALID_CURVE
	[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
	[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
	[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
	# Host, email and IP check errors
	[62]=ERR_HOSTNAME_MISMATCH
	[63]=ERR_EMAIL_MISMATCH
	[64]=ERR_IP_ADDRESS_MISMATCH
	# DANE TLSA errors
	[65]=ERR_DANE_NO_MATCH
	# security level errors
	[66]=ERR_EE_KEY_TOO_SMALL
	[67]=ERR_CA_KEY_TOO_SMALL
	[68]=ERR_CA_MD_TOO_WEAK
	# Caller error
	[69]=ERR_INVALID_CALL
	# Issuer lookup error
	[70]=ERR_STORE_LOOKUP
	# Certificate transparency
	[71]=ERR_NO_VALID_SCTS

	[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
	# OCSP status errors
	[73]=ERR_OCSP_VERIFY_NEEDED  	# Need OCSP verification
	[74]=ERR_OCSP_VERIFY_FAILED  	# Couldn't verify cert through OCSP
	[75]=ERR_OCSP_CERT_UNKNOWN  	# Certificate wasn't recognized by the OCSP responder
	[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
	[77]=ERR_NO_ISSUER_PUBLIC_KEY
	[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
	[79]=ERR_EC_KEY_EXPLICIT_PARAMS
	)

# man 3 libcurl-errors
declare -A CURLE
CURLE=(
	[0]=CURLE_OK
	[1]=CURLE_UNSUPPORTED_PROTOCOL
	[2]=CURLE_FAILED_INIT
	[3]=CURLE_URL_MALFORMAT
	[4]=CURLE_NOT_BUILT_IN
	[5]=CURLE_COULDNT_RESOLVE_PROXY
	[6]=CURLE_COULDNT_RESOLVE_HOST
	[7]=CURLE_COULDNT_CONNECT
	[8]=CURLE_WEIRD_SERVER_REPLY
	[9]=CURLE_REMOTE_ACCESS_DENIED
	[10]=CURLE_FTP_ACCEPT_FAILED
	[11]=CURLE_FTP_WEIRD_PASS_REPLY
	[12]=CURLE_FTP_ACCEPT_TIMEOUT
	[13]=CURLE_FTP_WEIRD_PASV_REPLY
	[14]=CURLE_FTP_WEIRD_227_FORMAT
	[15]=CURLE_FTP_CANT_GET_HOST
	[16]=CURLE_HTTP2
	[17]=CURLE_FTP_COULDNT_SET_TYPE
	[18]=CURLE_PARTIAL_FILE
	[19]=CURLE_FTP_COULDNT_RETR_FILE
	[21]=CURLE_QUOTE_ERROR
	[22]=CURLE_HTTP_RETURNED_ERROR
	[23]=CURLE_WRITE_ERROR
	[25]=CURLE_UPLOAD_FAILED
	[26]=CURLE_READ_ERROR
	[27]=CURLE_OUT_OF_MEMORY
	[28]=CURLE_OPERATION_TIMEDOUT
	[30]=CURLE_FTP_PORT_FAILED
	[31]=CURLE_FTP_COULDNT_USE_REST
	[33]=CURLE_RANGE_ERROR
	[34]=CURLE_HTTP_POST_ERROR
	[35]=CURLE_SSL_CONNECT_ERROR
	[36]=CURLE_BAD_DOWNLOAD_RESUME
	[37]=CURLE_FILE_COULDNT_READ_FILE
	[38]=CURLE_LDAP_CANNOT_BIND
	[39]=CURLE_LDAP_SEARCH_FAILED
	[41]=CURLE_FUNCTION_NOT_FOUND
	[42]=CURLE_ABORTED_BY_CALLBACK
	[43]=CURLE_BAD_FUNCTION_ARGUMENT
	[45]=CURLE_INTERFACE_FAILED
	[47]=CURLE_TOO_MANY_REDIRECTS
	[48]=CURLE_UNKNOWN_OPTION
	[49]=CURLE_SETOPT_OPTION_SYNTAX
	[52]=CURLE_GOT_NOTHING
	[53]=CURLE_SSL_ENGINE_NOTFOUND
	[54]=CURLE_SSL_ENGINE_SETFAILED
	[55]=CURLE_SEND_ERROR
	[56]=CURLE_RECV_ERROR
	[58]=CURLE_SSL_CERTPROBLEM
	[59]=CURLE_SSL_CIPHER
	[60]=CURLE_PEER_FAILED_VERIFICATION
	[61]=CURLE_BAD_CONTENT_ENCODING
	[62]=CURLE_LDAP_INVALID_URL
	[63]=CURLE_FILESIZE_EXCEEDED
	[64]=CURLE_USE_SSL_FAILED
	[65]=CURLE_SEND_FAIL_REWIND
	[66]=CURLE_SSL_ENGINE_INITFAILED
	[67]=CURLE_LOGIN_DENIED
	[68]=CURLE_TFTP_NOTFOUND
	[69]=CURLE_TFTP_PERM
	[70]=CURLE_REMOTE_DISK_FULL
	[71]=CURLE_TFTP_ILLEGAL
	[72]=CURLE_TFTP_UNKNOWNID
	[73]=CURLE_REMOTE_FILE_EXISTS
	[74]=CURLE_TFTP_NOSUCHUSER
	[75]=CURLE_CONV_FAILED
	[76]=CURLE_CONV_REQD
	[77]=CURLE_SSL_CACERT_BADFILE
	[78]=CURLE_REMOTE_FILE_NOT_FOUND
	[79]=CURLE_SSH
	[80]=CURLE_SSL_SHUTDOWN_FAILED
	[81]=CURLE_AGAIN
	[82]=CURLE_SSL_CRL_BADFILE
	[83]=CURLE_SSL_ISSUER_ERROR
	[84]=CURLE_FTP_PRET_FAILED
	[85]=CURLE_RTSP_CSEQ_ERROR
	[86]=CURLE_RTSP_SESSION_ERROR
	[87]=CURLE_FTP_BAD_FILE_LIST
	[88]=CURLE_CHUNK_FAILED
	[89]=CURLE_NO_CONNECTION_AVAILABLE
	[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
	[91]=CURLE_SSL_INVALIDCERTSTATUS
	[92]=CURLE_HTTP2_STREAM
	[93]=CURLE_RECURSIVE_API_CALL
	[94]=CURLE_AUTH_ERROR
	[95]=CURLE_HTTP3
	[96]=CURLE_QUIC_CONNECT_ERROR
	[98]=CURLE_SSL_CLIENTCERT
	[99]=CURLE_UNRECOVERABLE_POLL
)

#    20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
	[100]="Continue"
	[101]="Switching Protocols"
	[103]="Early Hints"
	[200]="OK"
	[201]="Created"
	[202]="Accepted"
	[203]="Non-Authoritative Information"
	[204]="No Content"
	[205]="Reset Content"
	[206]="Partial Content"
	[300]="Multiple Choices"
	[301]="Moved Permanently"
	[302]="Found"
	[303]="See Other"
	[304]="Not Modified"
	[307]="Temporary Redirect"
	[308]="Permanent Redirect"
	[400]="Bad Request"
	[401]="Unauthorized"
	[402]="Payment Required"
	[403]="Forbidden"
	[404]="Not Found"
	[405]="Method Not Allowed"
	[406]="Not Acceptable"
	[407]="Proxy Authentication Required"
	[408]="Request Timeout"
	[409]="Conflict"
	[410]="Gone"
	[411]="Length Required"
	[412]="Precondition Failed"
	[413]="Payload Too Large"
	[414]="URI Too Long"
	[415]="Unsupported Media Type"
	[416]="Range Not Satisfiable"
	[417]="Expectation Failed"
	[418]="Im a teapot"
	[422]="Unprocessable Entity"
	[425]="Too Early"
	[426]="Upgrade Required"
	[428]="Precondition Required"
	[429]="Too Many Requests"
	[431]="Request Header Fields Too Large"
	[451]="Unavailable For Legal Reasons"
	[500]="Internal Server Error"
	[501]="Not Implemented"
	[502]="Bad Gateway"
	[503]="Service Unavailable"
	[504]="Gateway Timeout"
	[505]="HTTP Version Not Supported"
	[506]="Variant Also Negotiates"
	[507]="Insufficient Storage"
	[508]="Loop Detected"
	[510]="Not Extended"
	[511]="Network Authentication Required"
)

# https://curl.se/docs/ssl-ciphers.html

# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html

# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
    export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
    export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

declare -a NOTLSV3
NOTLSV3=(
    # connection refused
    www.mirrorservice.org
    # no ipv3
    files.pythonhosted.org
)

#     https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
    173.245.48.0/20
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    141.101.64.0/18
    108.162.192.0/18
    190.93.240.0/20
    188.114.96.0/20
    197.234.240.0/22
    198.41.128.0/17
    162.158.0.0/15
    104.16.0.0/13
    104.24.0.0/14
    172.64.0.0/13
    131.0.72.0/22
)

#for no in "${CLOUDF[@]}" ; do
#  # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
#  a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done