package com.yahoo.jrt;

import com.yahoo.jrt.CryptoSocket;
import com.yahoo.security.tls.ConnectionAuthContext;
import com.yahoo.security.tls.PeerAuthorizationFailedException;
import com.yahoo.security.tls.TransportSecurityUtils;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ClosedChannelException;
import java.nio.channels.SocketChannel;
import java.util.Objects;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;

/* loaded from: input_file:com/yahoo/jrt/TlsCryptoSocket.class */
public class TlsCryptoSocket implements CryptoSocket {
    private static final ByteBuffer NULL_BUFFER = ByteBuffer.allocate(0);
    private static final Logger log = Logger.getLogger(TlsCryptoSocket.class.getName());
    private final SocketChannel channel;
    private final SSLEngine sslEngine;
    private int sessionPacketBufferSize;
    private int sessionApplicationBufferSize;
    private ByteBuffer handshakeDummyBuffer;
    private HandshakeState handshakeState;
    private ConnectionAuthContext authContext;
    private final TransportMetrics metrics = TransportMetrics.getInstance();
    private final Buffer wrapBuffer = new Buffer(0);
    private final Buffer unwrapBuffer = new Buffer(0);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yahoo.jrt.TlsCryptoSocket$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/jrt/TlsCryptoSocket$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState;
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus;
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$Status = new int[SSLEngineResult.Status.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.OK.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_OVERFLOW.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_UNDERFLOW.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 3;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 4;
            } catch (NoSuchFieldError e7) {
            }
            $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState = new int[HandshakeState.values().length];
            try {
                $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[HandshakeState.NOT_STARTED.ordinal()] = 1;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[HandshakeState.NEED_WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[HandshakeState.NEED_READ.ordinal()] = 3;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[HandshakeState.NEED_WORK.ordinal()] = 4;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[HandshakeState.COMPLETED.ordinal()] = 5;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jrt/TlsCryptoSocket$HandshakeState.class */
    public enum HandshakeState {
        NOT_STARTED,
        NEED_READ,
        NEED_WRITE,
        NEED_WORK,
        COMPLETED
    }

    public TlsCryptoSocket(SocketChannel socketChannel, SSLEngine sSLEngine) {
        this.channel = socketChannel;
        this.sslEngine = sSLEngine;
        SSLSession session = sSLEngine.getSession();
        this.sessionApplicationBufferSize = session.getApplicationBufferSize();
        this.sessionPacketBufferSize = session.getPacketBufferSize();
        this.handshakeDummyBuffer = ByteBuffer.allocate(this.sessionApplicationBufferSize);
        this.handshakeState = HandshakeState.NOT_STARTED;
        log.fine(() -> {
            return "Initialized with " + sSLEngine.toString();
        });
    }

    public void injectReadData(Buffer buffer) {
        this.unwrapBuffer.getWritable(buffer.bytes()).put(buffer.getReadable());
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public SocketChannel channel() {
        return this.channel;
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public CryptoSocket.HandshakeResult handshake() throws IOException {
        HandshakeState processHandshakeState = processHandshakeState(this.handshakeState);
        log.fine(() -> {
            return String.format("Handshake state '%s -> %s'", this.handshakeState, processHandshakeState);
        });
        this.handshakeState = processHandshakeState;
        return toHandshakeResult(processHandshakeState);
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public void doHandshakeWork() {
        while (true) {
            Runnable delegatedTask = this.sslEngine.getDelegatedTask();
            if (delegatedTask == null) {
                return;
            } else {
                delegatedTask.run();
            }
        }
    }

    private HandshakeState processHandshakeState(HandshakeState handshakeState) throws IOException {
        try {
            switch (AnonymousClass1.$SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[handshakeState.ordinal()]) {
                case Packet.FLAG_REVERSE /* 1 */:
                    log.fine(() -> {
                        return "Initiating handshake";
                    });
                    this.sslEngine.beginHandshake();
                    break;
                case Packet.FLAG_NOREPLY /* 2 */:
                    channelWrite();
                    break;
                case 3:
                    channelRead();
                    break;
                case 4:
                    break;
                case 5:
                    return HandshakeState.COMPLETED;
                default:
                    throw unhandledStateException(handshakeState);
            }
            while (true) {
                log.fine(() -> {
                    return "SSLEngine.getHandshakeStatus(): " + String.valueOf(this.sslEngine.getHandshakeStatus());
                });
                switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[this.sslEngine.getHandshakeStatus().ordinal()]) {
                    case Packet.FLAG_REVERSE /* 1 */:
                        if (this.wrapBuffer.bytes() > 0) {
                            return HandshakeState.NEED_WRITE;
                        }
                        this.sslEngine.setEnableSessionCreation(false);
                        this.handshakeDummyBuffer = null;
                        SSLSession session = this.sslEngine.getSession();
                        this.sessionApplicationBufferSize = session.getApplicationBufferSize();
                        this.sessionPacketBufferSize = session.getPacketBufferSize();
                        this.authContext = (ConnectionAuthContext) TransportSecurityUtils.getConnectionAuthContext(session).orElseThrow();
                        if (!this.authContext.authorized()) {
                            this.metrics.incrementPeerAuthorizationFailures();
                        }
                        log.fine(() -> {
                            return String.format("Handshake complete: protocol=%s, cipherSuite=%s", session.getProtocol(), session.getCipherSuite());
                        });
                        if (this.sslEngine.getUseClientMode()) {
                            this.metrics.incrementClientTlsConnectionsEstablished();
                        } else {
                            this.metrics.incrementServerTlsConnectionsEstablished();
                        }
                        return HandshakeState.COMPLETED;
                    case Packet.FLAG_NOREPLY /* 2 */:
                        return HandshakeState.NEED_WORK;
                    case 3:
                        if (this.wrapBuffer.bytes() <= 0) {
                            if (!handshakeUnwrap()) {
                                return HandshakeState.NEED_READ;
                            }
                            break;
                        } else {
                            return HandshakeState.NEED_WRITE;
                        }
                    case 4:
                        if (!handshakeWrap()) {
                            return HandshakeState.NEED_WRITE;
                        }
                        break;
                    default:
                        throw new IllegalStateException("Unexpected handshake status: " + String.valueOf(this.sslEngine.getHandshakeStatus()));
                }
            }
        } catch (SSLHandshakeException e) {
            if (!(e.getCause() instanceof PeerAuthorizationFailedException)) {
                this.metrics.incrementTlsCertificateVerificationFailures();
            }
            throw e;
        }
    }

    private static CryptoSocket.HandshakeResult toHandshakeResult(HandshakeState handshakeState) {
        switch (AnonymousClass1.$SwitchMap$com$yahoo$jrt$TlsCryptoSocket$HandshakeState[handshakeState.ordinal()]) {
            case Packet.FLAG_NOREPLY /* 2 */:
                return CryptoSocket.HandshakeResult.NEED_WRITE;
            case 3:
                return CryptoSocket.HandshakeResult.NEED_READ;
            case 4:
                return CryptoSocket.HandshakeResult.NEED_WORK;
            case 5:
                return CryptoSocket.HandshakeResult.DONE;
            default:
                throw unhandledStateException(handshakeState);
        }
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public int getMinimumReadBufferSize() {
        return this.sessionApplicationBufferSize;
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public int read(ByteBuffer byteBuffer) throws IOException {
        verifyHandshakeCompleted();
        int drain = drain(byteBuffer);
        if (drain > 0) {
            return drain;
        }
        if (channelRead() == 0) {
            return 0;
        }
        return drain(byteBuffer);
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public int drain(ByteBuffer byteBuffer) throws IOException {
        verifyHandshakeCompleted();
        int i = 0;
        while (true) {
            int i2 = i;
            int applicationDataUnwrap = applicationDataUnwrap(byteBuffer);
            if (applicationDataUnwrap < 0) {
                return i2;
            }
            i = i2 + applicationDataUnwrap;
        }
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public int write(ByteBuffer byteBuffer) throws IOException {
        verifyHandshakeCompleted();
        if (flush() == CryptoSocket.FlushResult.NEED_WRITE) {
            return 0;
        }
        int i = 0;
        do {
            int applicationDataWrap = applicationDataWrap(byteBuffer);
            i += applicationDataWrap;
            if (applicationDataWrap <= 0) {
                break;
            }
        } while (this.wrapBuffer.bytes() < this.sessionPacketBufferSize);
        return i;
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public CryptoSocket.FlushResult flush() throws IOException {
        verifyHandshakeCompleted();
        channelWrite();
        return this.wrapBuffer.bytes() > 0 ? CryptoSocket.FlushResult.NEED_WRITE : CryptoSocket.FlushResult.DONE;
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public void dropEmptyBuffers() {
        this.wrapBuffer.shrink(0);
        this.unwrapBuffer.shrink(0);
    }

    @Override // com.yahoo.jrt.CryptoSocket
    public ConnectionAuthContext connectionAuthContext() {
        if (this.handshakeState != HandshakeState.COMPLETED) {
            throw new IllegalStateException("Handshake not complete");
        }
        return (ConnectionAuthContext) Objects.requireNonNull(this.authContext);
    }

    private boolean handshakeWrap() throws IOException {
        SSLEngineResult sslEngineWrap = sslEngineWrap(NULL_BUFFER);
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sslEngineWrap.getStatus().ordinal()]) {
            case Packet.FLAG_REVERSE /* 1 */:
                return true;
            case Packet.FLAG_NOREPLY /* 2 */:
                this.sessionPacketBufferSize = this.sslEngine.getSession().getPacketBufferSize();
                return false;
            default:
                throw unexpectedStatusException(sslEngineWrap.getStatus());
        }
    }

    private int applicationDataWrap(ByteBuffer byteBuffer) throws IOException {
        SSLEngineResult sslEngineWrap = sslEngineWrap(byteBuffer);
        failIfRenegotiationDetected(sslEngineWrap);
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sslEngineWrap.getStatus().ordinal()]) {
            case Packet.FLAG_REVERSE /* 1 */:
                return sslEngineWrap.bytesConsumed();
            case Packet.FLAG_NOREPLY /* 2 */:
                return 0;
            default:
                throw unexpectedStatusException(sslEngineWrap.getStatus());
        }
    }

    private SSLEngineResult sslEngineWrap(ByteBuffer byteBuffer) throws IOException {
        SSLEngineResult wrap = this.sslEngine.wrap(byteBuffer, this.wrapBuffer.getWritable(this.sessionPacketBufferSize));
        failIfCloseSignalDetected(wrap);
        return wrap;
    }

    private boolean handshakeUnwrap() throws IOException {
        SSLEngineResult sslEngineUnwrap = sslEngineUnwrap(this.handshakeDummyBuffer);
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sslEngineUnwrap.getStatus().ordinal()]) {
            case Packet.FLAG_REVERSE /* 1 */:
                if (sslEngineUnwrap.bytesProduced() > 0) {
                    throw new SSLException("Got application data in handshake unwrap");
                }
                return true;
            case 3:
                return false;
            default:
                throw unexpectedStatusException(sslEngineUnwrap.getStatus());
        }
    }

    private int applicationDataUnwrap(ByteBuffer byteBuffer) throws IOException {
        SSLEngineResult sslEngineUnwrap = sslEngineUnwrap(byteBuffer);
        failIfRenegotiationDetected(sslEngineUnwrap);
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sslEngineUnwrap.getStatus().ordinal()]) {
            case Packet.FLAG_REVERSE /* 1 */:
                return sslEngineUnwrap.bytesProduced();
            case Packet.FLAG_NOREPLY /* 2 */:
            case 3:
                return -1;
            default:
                throw unexpectedStatusException(sslEngineUnwrap.getStatus());
        }
    }

    private SSLEngineResult sslEngineUnwrap(ByteBuffer byteBuffer) throws IOException {
        SSLEngineResult unwrap = this.sslEngine.unwrap(this.unwrapBuffer.getReadable(), byteBuffer);
        failIfCloseSignalDetected(unwrap);
        return unwrap;
    }

    private int channelRead() throws IOException {
        int read = this.channel.read(this.unwrapBuffer.getWritable(this.sessionPacketBufferSize));
        if (read == -1) {
            throw new ClosedChannelException();
        }
        return read;
    }

    private int channelWrite() throws IOException {
        return this.channel.write(this.wrapBuffer.getReadable());
    }

    private static void failIfCloseSignalDetected(SSLEngineResult sSLEngineResult) throws ClosedChannelException {
        if (sSLEngineResult.getStatus() == SSLEngineResult.Status.CLOSED) {
            throw new ClosedChannelException();
        }
    }

    private static void failIfRenegotiationDetected(SSLEngineResult sSLEngineResult) throws SSLException {
        if (sSLEngineResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING && sSLEngineResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.FINISHED) {
            throw new SSLException("Renegotiation detected");
        }
    }

    private static IllegalStateException unhandledStateException(HandshakeState handshakeState) {
        return new IllegalStateException("Unhandled state: " + String.valueOf(handshakeState));
    }

    private static IllegalStateException unexpectedStatusException(SSLEngineResult.Status status) {
        return new IllegalStateException("Unexpected status: " + String.valueOf(status));
    }

    private void verifyHandshakeCompleted() throws SSLException {
        if (this.handshakeState != HandshakeState.COMPLETED) {
            throw new SSLException("Handshake not completed: handshakeState=" + String.valueOf(this.handshakeState));
        }
    }
}
