package org.b.b.r;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
import org.b.b.r.an;
import org.b.b.r.cm;

/* loaded from: classes.dex */
public class ah extends ak {

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: classes.dex */
    public static class a {
        cz client = null;
        db clientContext = null;
        er tlsSession = null;
        cm sessionParameters = null;
        cm.a sessionParametersBuilder = null;
        int[] offeredCipherSuites = null;
        short[] offeredCompressionMethods = null;
        Hashtable clientExtensions = null;
        byte[] selectedSessionID = null;
        int selectedCipherSuite = -1;
        short selectedCompressionMethod = -1;
        boolean secure_renegotiation = false;
        short maxFragmentLength = -1;
        boolean allowCertificateStatus = false;
        boolean expectSessionTicket = false;
        du keyExchange = null;
        cv authentication = null;
        t certificateStatus = null;
        s certificateRequest = null;
        df clientCredentials = null;

        protected a() {
        }
    }

    public ah(SecureRandom secureRandom) {
        super(secureRandom);
    }

    protected static byte[] patchClientHelloWithCookie(byte[] bArr, byte[] bArr2) throws IOException {
        int readUint8 = ew.readUint8(bArr, 34) + 35;
        int i = readUint8 + 1;
        byte[] bArr3 = new byte[bArr.length + bArr2.length];
        System.arraycopy(bArr, 0, bArr3, 0, readUint8);
        ew.checkUint8(bArr2.length);
        ew.writeUint8(bArr2.length, bArr3, readUint8);
        System.arraycopy(bArr2, 0, bArr3, i, bArr2.length);
        System.arraycopy(bArr, i, bArr3, bArr2.length + i, bArr.length - i);
        return bArr3;
    }

    protected ar clientHandshake(a aVar, am amVar) throws IOException {
        r rVar;
        cg securityParameters = aVar.clientContext.getSecurityParameters();
        an anVar = new an(aVar.clientContext, amVar);
        byte[] generateClientHello = generateClientHello(aVar, aVar.client);
        anVar.sendMessage((short) 1, generateClientHello);
        an.a receiveMessage = anVar.receiveMessage();
        while (receiveMessage.getType() == 3) {
            if (!amVar.resetDiscoveredPeerVersion().isEqualOrEarlierVersionOf(aVar.clientContext.getClientVersion())) {
                throw new dr((short) 47);
            }
            byte[] patchClientHelloWithCookie = patchClientHelloWithCookie(generateClientHello, processHelloVerifyRequest(aVar, receiveMessage.getBody()));
            anVar.resetHandshakeMessagesDigest();
            anVar.sendMessage((short) 1, patchClientHelloWithCookie);
            receiveMessage = anVar.receiveMessage();
        }
        if (receiveMessage.getType() != 2) {
            throw new dr((short) 10);
        }
        reportServerVersion(aVar, amVar.getDiscoveredPeerVersion());
        processServerHello(aVar, receiveMessage.getBody());
        if (aVar.maxFragmentLength >= 0) {
            amVar.setPlaintextLimit(1 << (aVar.maxFragmentLength + 8));
        }
        securityParameters.cipherSuite = aVar.selectedCipherSuite;
        securityParameters.compressionAlgorithm = aVar.selectedCompressionMethod;
        securityParameters.prfAlgorithm = ed.getPRFAlgorithm(aVar.clientContext, aVar.selectedCipherSuite);
        securityParameters.verifyDataLength = 12;
        anVar.notifyHelloComplete();
        if (aVar.selectedSessionID.length > 0 && aVar.tlsSession != null && org.b.h.a.areEqual(aVar.selectedSessionID, aVar.tlsSession.getSessionID())) {
            if (securityParameters.getCipherSuite() != aVar.sessionParameters.getCipherSuite() || securityParameters.getCompressionAlgorithm() != aVar.sessionParameters.getCompressionAlgorithm()) {
                throw new dr((short) 47);
            }
            securityParameters.extendedMasterSecret = dq.hasExtendedMasterSecretExtension(aVar.sessionParameters.readServerExtensions());
            securityParameters.masterSecret = org.b.h.a.clone(aVar.sessionParameters.getMasterSecret());
            amVar.initPendingEpoch(aVar.client.getCipher());
            processFinished(anVar.receiveMessageBody((short) 20), ew.calculateVerifyData(aVar.clientContext, bh.server_finished, ed.getCurrentPRFHash(aVar.clientContext, anVar.getHandshakeHash(), null)));
            anVar.sendMessage((short) 20, ew.calculateVerifyData(aVar.clientContext, bh.client_finished, ed.getCurrentPRFHash(aVar.clientContext, anVar.getHandshakeHash(), null)));
            anVar.finish();
            aVar.clientContext.setResumableSession(aVar.tlsSession);
            aVar.client.notifyHandshakeComplete();
            return new ar(amVar);
        }
        invalidateSession(aVar);
        if (aVar.selectedSessionID.length > 0) {
            aVar.tlsSession = new es(aVar.selectedSessionID, null);
        }
        an.a receiveMessage2 = anVar.receiveMessage();
        if (receiveMessage2.getType() == 23) {
            processServerSupplementalData(aVar, receiveMessage2.getBody());
            receiveMessage2 = anVar.receiveMessage();
        } else {
            aVar.client.processServerSupplementalData(null);
        }
        aVar.keyExchange = aVar.client.getKeyExchange();
        aVar.keyExchange.init(aVar.clientContext);
        if (receiveMessage2.getType() == 11) {
            rVar = processServerCertificate(aVar, receiveMessage2.getBody());
            receiveMessage2 = anVar.receiveMessage();
        } else {
            aVar.keyExchange.skipServerCredentials();
            rVar = null;
        }
        if (rVar == null || rVar.isEmpty()) {
            aVar.allowCertificateStatus = false;
        }
        if (receiveMessage2.getType() == 22) {
            processCertificateStatus(aVar, receiveMessage2.getBody());
            receiveMessage2 = anVar.receiveMessage();
        }
        if (receiveMessage2.getType() == 12) {
            processServerKeyExchange(aVar, receiveMessage2.getBody());
            receiveMessage2 = anVar.receiveMessage();
        } else {
            aVar.keyExchange.skipServerKeyExchange();
        }
        if (receiveMessage2.getType() == 13) {
            processCertificateRequest(aVar, receiveMessage2.getBody());
            ew.trackHashAlgorithms(anVar.getHandshakeHash(), aVar.certificateRequest.getSupportedSignatureAlgorithms());
            receiveMessage2 = anVar.receiveMessage();
        }
        if (receiveMessage2.getType() != 14) {
            throw new dr((short) 10);
        }
        if (receiveMessage2.getBody().length != 0) {
            throw new dr((short) 50);
        }
        anVar.getHandshakeHash().sealHashAlgorithms();
        Vector clientSupplementalData = aVar.client.getClientSupplementalData();
        if (clientSupplementalData != null) {
            anVar.sendMessage((short) 23, generateSupplementalData(clientSupplementalData));
        }
        if (aVar.certificateRequest != null) {
            aVar.clientCredentials = aVar.authentication.getClientCredentials(aVar.certificateRequest);
            r certificate = aVar.clientCredentials != null ? aVar.clientCredentials.getCertificate() : null;
            if (certificate == null) {
                certificate = r.EMPTY_CHAIN;
            }
            anVar.sendMessage((short) 11, generateCertificate(certificate));
        }
        if (aVar.clientCredentials != null) {
            aVar.keyExchange.processClientCredentials(aVar.clientCredentials);
        } else {
            aVar.keyExchange.skipClientCredentials();
        }
        anVar.sendMessage((short) 16, generateClientKeyExchange(aVar));
        ds prepareToFinish = anVar.prepareToFinish();
        securityParameters.sessionHash = ed.getCurrentPRFHash(aVar.clientContext, prepareToFinish, null);
        ed.establishMasterSecret(aVar.clientContext, aVar.keyExchange);
        amVar.initPendingEpoch(aVar.client.getCipher());
        if (aVar.clientCredentials != null && (aVar.clientCredentials instanceof eu)) {
            eu euVar = (eu) aVar.clientCredentials;
            co signatureAndHashAlgorithm = ew.getSignatureAndHashAlgorithm(aVar.clientContext, euVar);
            anVar.sendMessage((short) 15, generateCertificateVerify(aVar, new bc(signatureAndHashAlgorithm, euVar.generateCertificateSignature(signatureAndHashAlgorithm == null ? securityParameters.getSessionHash() : prepareToFinish.getFinalHash(signatureAndHashAlgorithm.getHash())))));
        }
        anVar.sendMessage((short) 20, ew.calculateVerifyData(aVar.clientContext, bh.client_finished, ed.getCurrentPRFHash(aVar.clientContext, anVar.getHandshakeHash(), null)));
        if (aVar.expectSessionTicket) {
            an.a receiveMessage3 = anVar.receiveMessage();
            if (receiveMessage3.getType() != 4) {
                throw new dr((short) 10);
            }
            processNewSessionTicket(aVar, receiveMessage3.getBody());
        }
        processFinished(anVar.receiveMessageBody((short) 20), ew.calculateVerifyData(aVar.clientContext, bh.server_finished, ed.getCurrentPRFHash(aVar.clientContext, anVar.getHandshakeHash(), null)));
        anVar.finish();
        if (aVar.tlsSession != null) {
            aVar.sessionParameters = new cm.a().setCipherSuite(securityParameters.cipherSuite).setCompressionAlgorithm(securityParameters.compressionAlgorithm).setMasterSecret(securityParameters.masterSecret).setPeerCertificate(rVar).setPSKIdentity(securityParameters.pskIdentity).setSRPIdentity(securityParameters.srpIdentity).build();
            aVar.tlsSession = ew.importSession(aVar.tlsSession.getSessionID(), aVar.sessionParameters);
            aVar.clientContext.setResumableSession(aVar.tlsSession);
        }
        aVar.client.notifyHandshakeComplete();
        return new ar(amVar);
    }

    public ar connect(cz czVar, as asVar) throws IOException {
        cm exportSessionParameters;
        if (czVar == null) {
            throw new IllegalArgumentException("'client' cannot be null");
        }
        if (asVar == null) {
            throw new IllegalArgumentException("'transport' cannot be null");
        }
        cg cgVar = new cg();
        cgVar.entity = 1;
        a aVar = new a();
        aVar.client = czVar;
        aVar.clientContext = new db(this.secureRandom, cgVar);
        cgVar.clientRandom = ed.createRandomBlock(czVar.shouldUseGMTUnixTime(), aVar.clientContext.getNonceRandomGenerator());
        czVar.init(aVar.clientContext);
        am amVar = new am(asVar, aVar.clientContext, czVar, (short) 22);
        er sessionToResume = aVar.client.getSessionToResume();
        if (sessionToResume != null && (exportSessionParameters = sessionToResume.exportSessionParameters()) != null) {
            aVar.tlsSession = sessionToResume;
            aVar.sessionParameters = exportSessionParameters;
        }
        try {
            return clientHandshake(aVar, amVar);
        } catch (RuntimeException e) {
            amVar.fail((short) 80);
            throw new dr((short) 80, e);
        } catch (dr e2) {
            amVar.fail(e2.getAlertDescription());
            throw e2;
        } catch (IOException e3) {
            amVar.fail((short) 80);
            throw e3;
        }
    }

    protected byte[] generateCertificateVerify(a aVar, bc bcVar) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        bcVar.encode(byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    protected byte[] generateClientHello(a aVar, cz czVar) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ca clientVersion = czVar.getClientVersion();
        if (!clientVersion.isDTLS()) {
            throw new dr((short) 80);
        }
        db dbVar = aVar.clientContext;
        dbVar.setClientVersion(clientVersion);
        ew.writeVersion(clientVersion, byteArrayOutputStream);
        cg securityParameters = dbVar.getSecurityParameters();
        byteArrayOutputStream.write(securityParameters.getClientRandom());
        byte[] bArr = ew.EMPTY_BYTES;
        if (aVar.tlsSession != null && ((bArr = aVar.tlsSession.getSessionID()) == null || bArr.length > 32)) {
            bArr = ew.EMPTY_BYTES;
        }
        ew.writeOpaque8(bArr, byteArrayOutputStream);
        ew.writeOpaque8(ew.EMPTY_BYTES, byteArrayOutputStream);
        boolean isFallback = czVar.isFallback();
        aVar.offeredCipherSuites = czVar.getCipherSuites();
        aVar.clientExtensions = czVar.getClientExtensions();
        securityParameters.extendedMasterSecret = dq.hasExtendedMasterSecretExtension(aVar.clientExtensions);
        boolean z = ew.getExtensionData(aVar.clientExtensions, ed.EXT_RenegotiationInfo) == null;
        boolean z2 = !org.b.h.a.contains(aVar.offeredCipherSuites, 255);
        if (z && z2) {
            aVar.offeredCipherSuites = org.b.h.a.append(aVar.offeredCipherSuites, 255);
        }
        if (isFallback && !org.b.h.a.contains(aVar.offeredCipherSuites, z.TLS_FALLBACK_SCSV)) {
            aVar.offeredCipherSuites = org.b.h.a.append(aVar.offeredCipherSuites, z.TLS_FALLBACK_SCSV);
        }
        ew.writeUint16ArrayWithUint16Length(aVar.offeredCipherSuites, byteArrayOutputStream);
        aVar.offeredCompressionMethods = new short[]{0};
        ew.writeUint8ArrayWithUint8Length(aVar.offeredCompressionMethods, byteArrayOutputStream);
        if (aVar.clientExtensions != null) {
            ed.writeExtensions(byteArrayOutputStream, aVar.clientExtensions);
        }
        return byteArrayOutputStream.toByteArray();
    }

    protected byte[] generateClientKeyExchange(a aVar) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        aVar.keyExchange.generateClientKeyExchange(byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    protected void invalidateSession(a aVar) {
        if (aVar.sessionParameters != null) {
            aVar.sessionParameters.clear();
            aVar.sessionParameters = null;
        }
        if (aVar.tlsSession != null) {
            aVar.tlsSession.invalidate();
            aVar.tlsSession = null;
        }
    }

    protected void processCertificateRequest(a aVar, byte[] bArr) throws IOException {
        if (aVar.authentication == null) {
            throw new dr((short) 40);
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        aVar.certificateRequest = s.parse(aVar.clientContext, byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
        aVar.keyExchange.validateCertificateRequest(aVar.certificateRequest);
    }

    protected void processCertificateStatus(a aVar, byte[] bArr) throws IOException {
        if (!aVar.allowCertificateStatus) {
            throw new dr((short) 10);
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        aVar.certificateStatus = t.parse(byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
    }

    protected byte[] processHelloVerifyRequest(a aVar, byte[] bArr) throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        ca readVersion = ew.readVersion(byteArrayInputStream);
        byte[] readOpaque8 = ew.readOpaque8(byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
        if (!readVersion.isEqualOrEarlierVersionOf(aVar.clientContext.getClientVersion())) {
            throw new dr((short) 47);
        }
        if (ca.DTLSv12.isEqualOrEarlierVersionOf(readVersion) || readOpaque8.length <= 32) {
            return readOpaque8;
        }
        throw new dr((short) 47);
    }

    protected void processNewSessionTicket(a aVar, byte[] bArr) throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        bv parse = bv.parse(byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
        aVar.client.notifyNewSessionTicket(parse);
    }

    protected r processServerCertificate(a aVar, byte[] bArr) throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        r parse = r.parse(byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
        aVar.keyExchange.processServerCertificate(parse);
        aVar.authentication = aVar.client.getAuthentication();
        aVar.authentication.notifyServerCertificate(parse);
        return parse;
    }

    protected void processServerHello(a aVar, byte[] bArr) throws IOException {
        cg securityParameters = aVar.clientContext.getSecurityParameters();
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        ca readVersion = ew.readVersion(byteArrayInputStream);
        reportServerVersion(aVar, readVersion);
        securityParameters.serverRandom = ew.readFully(32, byteArrayInputStream);
        aVar.selectedSessionID = ew.readOpaque8(byteArrayInputStream);
        if (aVar.selectedSessionID.length > 32) {
            throw new dr((short) 47);
        }
        aVar.client.notifySessionID(aVar.selectedSessionID);
        aVar.selectedCipherSuite = ew.readUint16(byteArrayInputStream);
        if (!org.b.h.a.contains(aVar.offeredCipherSuites, aVar.selectedCipherSuite) || aVar.selectedCipherSuite == 0 || z.isSCSV(aVar.selectedCipherSuite) || !ew.isValidCipherSuiteForVersion(aVar.selectedCipherSuite, readVersion)) {
            throw new dr((short) 47);
        }
        validateSelectedCipherSuite(aVar.selectedCipherSuite, (short) 47);
        aVar.client.notifySelectedCipherSuite(aVar.selectedCipherSuite);
        aVar.selectedCompressionMethod = ew.readUint8(byteArrayInputStream);
        if (!org.b.h.a.contains(aVar.offeredCompressionMethods, aVar.selectedCompressionMethod)) {
            throw new dr((short) 47);
        }
        aVar.client.notifySelectedCompressionMethod(aVar.selectedCompressionMethod);
        Hashtable readExtensions = ed.readExtensions(byteArrayInputStream);
        if (dq.hasExtendedMasterSecretExtension(readExtensions) != securityParameters.extendedMasterSecret) {
            throw new dr((short) 40);
        }
        if (readExtensions != null) {
            Enumeration keys = readExtensions.keys();
            while (keys.hasMoreElements()) {
                Integer num = (Integer) keys.nextElement();
                if (!num.equals(ed.EXT_RenegotiationInfo)) {
                    if (ew.getExtensionData(aVar.clientExtensions, num) == null) {
                        throw new dr(l.unsupported_extension);
                    }
                    if (num.equals(dq.EXT_extended_master_secret)) {
                    }
                }
            }
            byte[] bArr2 = (byte[]) readExtensions.get(ed.EXT_RenegotiationInfo);
            if (bArr2 != null) {
                aVar.secure_renegotiation = true;
                if (!org.b.h.a.constantTimeAreEqual(bArr2, ed.createRenegotiationInfo(ew.EMPTY_BYTES))) {
                    throw new dr((short) 40);
                }
            }
            boolean hasEncryptThenMACExtension = dq.hasEncryptThenMACExtension(readExtensions);
            if (hasEncryptThenMACExtension && !ew.isBlockCipherSuite(aVar.selectedCipherSuite)) {
                throw new dr((short) 47);
            }
            securityParameters.encryptThenMAC = hasEncryptThenMACExtension;
            aVar.maxFragmentLength = evaluateMaxFragmentLengthExtension(aVar.clientExtensions, readExtensions, (short) 47);
            securityParameters.truncatedHMac = dq.hasTruncatedHMacExtension(readExtensions);
            aVar.allowCertificateStatus = ew.hasExpectedEmptyExtensionData(readExtensions, dq.EXT_status_request, (short) 47);
            aVar.expectSessionTicket = ew.hasExpectedEmptyExtensionData(readExtensions, ed.EXT_SessionTicket, (short) 47);
        }
        aVar.client.notifySecureRenegotiation(aVar.secure_renegotiation);
        if (aVar.clientExtensions != null) {
            aVar.client.processServerExtensions(readExtensions);
        }
    }

    protected void processServerKeyExchange(a aVar, byte[] bArr) throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        aVar.keyExchange.processServerKeyExchange(byteArrayInputStream);
        ed.assertEmpty(byteArrayInputStream);
    }

    protected void processServerSupplementalData(a aVar, byte[] bArr) throws IOException {
        aVar.client.processServerSupplementalData(ed.readSupplementalDataMessage(new ByteArrayInputStream(bArr)));
    }

    protected void reportServerVersion(a aVar, ca caVar) throws IOException {
        db dbVar = aVar.clientContext;
        ca serverVersion = dbVar.getServerVersion();
        if (serverVersion == null) {
            dbVar.setServerVersion(caVar);
            aVar.client.notifyServerVersion(caVar);
        } else if (!serverVersion.equals(caVar)) {
            throw new dr((short) 47);
        }
    }
}
