package io.netty.handler.ssl;

import Bf.AbstractC0079k;
import ch.qos.logback.core.CoreConstants;
import io.netty.buffer.ByteBuf;
import io.netty.internal.tcnative.SSL;
import io.netty.internal.tcnative.SSLContext;
import io.netty.util.AbstractC2258c;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import tf.AbstractC3354c;
import tf.InterfaceC3327C;

/* loaded from: classes3.dex */
public abstract class H0 extends AbstractC2200a1 implements io.netty.util.H {
    private static final Integer DH_KEY_LENGTH;
    private final H apn;
    private volatile int bioNonApplicationBufferSize;
    final EnumC2227l clientAuth;
    protected long ctx;
    final ReadWriteLock ctxLock;
    final boolean enableOcsp;
    final T engineMap;
    final boolean hasTLSv13Cipher;
    final Certificate[] keyCertChain;
    private final io.netty.util.P leak;
    private final int mode;
    final String[] protocols;
    private final AbstractC2258c refCnt;
    final boolean tlsFalseStart;
    private final List<String> unmodifiableCiphers;
    private static final Cf.c logger = Cf.d.getInstance((Class<?>) H0.class);
    private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE = Math.max(1, Bf.o0.getInt("io.netty.handler.ssl.openssl.bioNonApplicationBufferSize", 2048));
    static final boolean USE_TASKS = Bf.o0.getBoolean("io.netty.handler.ssl.openssl.useTasks", true);
    private static final io.netty.util.L leakDetector = io.netty.util.N.instance().newResourceLeakDetector(H0.class);
    static final boolean CLIENT_ENABLE_SESSION_TICKET = Bf.o0.getBoolean("jdk.tls.client.enableSessionTicketExtension", false);
    static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13 = Bf.o0.getBoolean("jdk.tls.client.enableSessionTicketExtension", true);
    static final boolean SERVER_ENABLE_SESSION_TICKET = Bf.o0.getBoolean("jdk.tls.server.enableSessionTicketExtension", false);
    static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13 = Bf.o0.getBoolean("jdk.tls.server.enableSessionTicketExtension", true);
    static final boolean SERVER_ENABLE_SESSION_CACHE = Bf.o0.getBoolean("io.netty.handler.ssl.openssl.sessionCacheServer", true);
    static final boolean CLIENT_ENABLE_SESSION_CACHE = Bf.o0.getBoolean("io.netty.handler.ssl.openssl.sessionCacheClient", true);
    static final H NONE_PROTOCOL_NEGOTIATOR = new D0();

    static {
        Integer num = null;
        try {
            String str = Bf.o0.get("jdk.tls.ephemeralDHKeySize");
            if (str != null) {
                try {
                    num = Integer.valueOf(str);
                } catch (NumberFormatException unused) {
                    logger.debug("ReferenceCountedOpenSslContext supports -Djdk.tls.ephemeralDHKeySize={int}, but got: ".concat(str));
                }
            }
        } catch (Throwable unused2) {
        }
        DH_KEY_LENGTH = num;
    }

    public H0(Iterable<String> iterable, InterfaceC2225k interfaceC2225k, H h7, int i, Certificate[] certificateArr, EnumC2227l enumC2227l, String[] strArr, boolean z3, boolean z10, boolean z11, Map.Entry<C2209d1, Object>... entryArr) throws SSLException {
        super(z3);
        boolean z12;
        Integer num;
        this.refCnt = new C0(this);
        this.engineMap = new G0(null);
        this.ctxLock = new ReentrantReadWriteLock();
        this.bioNonApplicationBufferSize = DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE;
        G.ensureAvailability();
        if (z10 && !G.isOcspSupported()) {
            throw new IllegalStateException("OCSP is not supported.");
        }
        if (i != 1 && i != 0) {
            throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
        }
        boolean z13 = USE_TASKS;
        boolean z14 = false;
        if (entryArr != null) {
            num = null;
            z12 = false;
            for (Map.Entry<C2209d1, Object> entry : entryArr) {
                C2209d1 key = entry.getKey();
                if (key == Q.TLS_FALSE_START) {
                    z12 = ((Boolean) entry.getValue()).booleanValue();
                } else if (key == Q.USE_TASKS) {
                    z13 = ((Boolean) entry.getValue()).booleanValue();
                } else if (key == Q.PRIVATE_KEY_METHOD) {
                    com.nordvpn.android.persistence.dao.a.v(entry.getValue());
                } else if (key == Q.ASYNC_PRIVATE_KEY_METHOD) {
                    com.nordvpn.android.persistence.dao.a.v(entry.getValue());
                } else if (key == Q.CERTIFICATE_COMPRESSION_ALGORITHMS) {
                    com.nordvpn.android.persistence.dao.a.v(entry.getValue());
                } else if (key == Q.MAX_CERTIFICATE_LIST_BYTES) {
                    num = (Integer) entry.getValue();
                } else {
                    logger.debug("Skipping unsupported " + C2209d1.class.getSimpleName() + ": " + entry.getKey());
                }
            }
        } else {
            z12 = false;
            num = null;
        }
        this.tlsFalseStart = z12;
        this.leak = z11 ? leakDetector.track(this) : null;
        this.mode = i;
        this.clientAuth = isServer() ? (EnumC2227l) Bf.B.checkNotNull(enumC2227l, "clientAuth") : EnumC2227l.NONE;
        this.protocols = strArr == null ? G.defaultProtocols(i == 0) : strArr;
        this.enableOcsp = z10;
        this.keyCertChain = certificateArr == null ? null : (Certificate[]) certificateArr.clone();
        String[] filterCipherSuites = ((InterfaceC2225k) Bf.B.checkNotNull(interfaceC2225k, "cipherFilter")).filterCipherSuites(iterable, G.DEFAULT_CIPHERS, G.availableJavaCipherSuites());
        LinkedHashSet linkedHashSet = new LinkedHashSet(filterCipherSuites.length);
        Collections.addAll(linkedHashSet, filterCipherSuites);
        ArrayList arrayList = new ArrayList(linkedHashSet);
        this.unmodifiableCiphers = arrayList;
        this.apn = (H) Bf.B.checkNotNull(h7, "apn");
        try {
            boolean isTlsv13Supported = G.isTlsv13Supported();
            try {
                this.ctx = SSLContext.make(isTlsv13Supported ? 62 : 30, i);
                StringBuilder sb = new StringBuilder();
                StringBuilder sb2 = new StringBuilder();
                try {
                    if (arrayList.isEmpty()) {
                        SSLContext.setCipherSuite(this.ctx, CoreConstants.EMPTY_STRING, false);
                        if (isTlsv13Supported) {
                            SSLContext.setCipherSuite(this.ctx, CoreConstants.EMPTY_STRING, true);
                        }
                    } else {
                        AbstractC2223j.convertToCipherStrings(arrayList, sb, sb2, G.isBoringSSL());
                        SSLContext.setCipherSuite(this.ctx, sb.toString(), false);
                        if (isTlsv13Supported) {
                            String checkTls13Ciphers = G.checkTls13Ciphers(logger, sb2.toString());
                            SSLContext.setCipherSuite(this.ctx, checkTls13Ciphers, true);
                            if (!checkTls13Ciphers.isEmpty()) {
                                z14 = true;
                            }
                        }
                    }
                    int options = SSLContext.getOptions(this.ctx) | SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1 | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_CIPHER_SERVER_PREFERENCE | SSL.SSL_OP_NO_COMPRESSION | SSL.SSL_OP_NO_TICKET;
                    options = sb.length() == 0 ? options | SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1 | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2 : options;
                    options = isTlsv13Supported ? options : options | SSL.SSL_OP_NO_TLSv1_3;
                    this.hasTLSv13Cipher = z14;
                    SSLContext.setOptions(this.ctx, options);
                    long j = this.ctx;
                    SSLContext.setMode(j, SSLContext.getMode(j) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
                    Integer num2 = DH_KEY_LENGTH;
                    if (num2 != null) {
                        SSLContext.setTmpDHLength(this.ctx, num2.intValue());
                    }
                    D0 d02 = (D0) h7;
                    List<String> protocols = d02.protocols();
                    if (!protocols.isEmpty()) {
                        String[] strArr2 = (String[]) protocols.toArray(AbstractC0079k.EMPTY_STRINGS);
                        int opensslSelectorFailureBehavior = opensslSelectorFailureBehavior(d02.selectorFailureBehavior());
                        int i5 = E0.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[d02.protocol().ordinal()];
                        if (i5 == 1) {
                            SSLContext.setNpnProtos(this.ctx, strArr2, opensslSelectorFailureBehavior);
                        } else if (i5 == 2) {
                            SSLContext.setAlpnProtos(this.ctx, strArr2, opensslSelectorFailureBehavior);
                        } else {
                            if (i5 != 3) {
                                throw new Error();
                            }
                            SSLContext.setNpnProtos(this.ctx, strArr2, opensslSelectorFailureBehavior);
                            SSLContext.setAlpnProtos(this.ctx, strArr2, opensslSelectorFailureBehavior);
                        }
                    }
                    if (z10) {
                        SSLContext.enableOcsp(this.ctx, isClient());
                    }
                    SSLContext.setUseTasks(this.ctx, z13);
                    if (num != null) {
                        SSLContext.setMaxCertList(this.ctx, num.intValue());
                    }
                    SSLContext.setCurvesList(this.ctx, G.NAMED_GROUPS);
                } catch (SSLException e4) {
                    throw e4;
                } catch (Exception e8) {
                    throw new SSLException("failed to set cipher suite: " + this.unmodifiableCiphers, e8);
                }
            } catch (Exception e10) {
                throw new SSLException("failed to create an SSL_CTX", e10);
            }
        } catch (Throwable th2) {
            release();
            throw th2;
        }
    }

    public static X509TrustManager chooseTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                if (Bf.X.javaVersion() < 7) {
                    return x509TrustManager;
                }
                X509TrustManager wrapIfNeeded = AbstractC2239r0.wrapIfNeeded(x509TrustManager);
                return useExtendedTrustManager(wrapIfNeeded) ? new C2235p(wrapIfNeeded) : wrapIfNeeded;
            }
        }
        throw new IllegalStateException("no X509TrustManager found");
    }

    public static X509KeyManager chooseX509KeyManager(KeyManager[] keyManagerArr) {
        for (KeyManager keyManager : keyManagerArr) {
            if (keyManager instanceof X509KeyManager) {
                return (X509KeyManager) keyManager;
            }
        }
        throw new IllegalStateException("no X509KeyManager found");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void destroy() {
        Lock writeLock = this.ctxLock.writeLock();
        writeLock.lock();
        try {
            long j = this.ctx;
            if (j != 0) {
                if (this.enableOcsp) {
                    SSLContext.disableOcsp(j);
                }
                SSLContext.free(this.ctx);
                this.ctx = 0L;
                AbstractC2211e0 sessionContext = sessionContext();
                if (sessionContext != null) {
                    sessionContext.destroy();
                }
            }
            writeLock.unlock();
        } catch (Throwable th2) {
            writeLock.unlock();
            throw th2;
        }
    }

    public static void freeBio(long j) {
        if (j != 0) {
            SSL.freeBIO(j);
        }
    }

    private static long newBIO(ByteBuf byteBuf) throws Exception {
        try {
            long newMemBIO = SSL.newMemBIO();
            int readableBytes = byteBuf.readableBytes();
            if (SSL.bioWrite(newMemBIO, G.memoryAddress(byteBuf) + byteBuf.readerIndex(), readableBytes) == readableBytes) {
                return newMemBIO;
            }
            SSL.freeBIO(newMemBIO);
            throw new IllegalStateException("Could not write data to memory BIO");
        } finally {
            byteBuf.release();
        }
    }

    private static int opensslSelectorFailureBehavior(EnumC2204c enumC2204c) {
        int i = E0.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior[enumC2204c.ordinal()];
        if (i == 1) {
            return 0;
        }
        if (i == 2) {
            return 1;
        }
        throw new Error();
    }

    public static W providerFor(KeyManagerFactory keyManagerFactory, String str) {
        return keyManagerFactory instanceof C2228l0 ? ((C2228l0) keyManagerFactory).newProvider() : keyManagerFactory instanceof K ? ((K) keyManagerFactory).newProvider(str) : new W(chooseX509KeyManager(keyManagerFactory.getKeyManagers()), str);
    }

    /* JADX WARN: Removed duplicated region for block: B:31:0x00a0  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static void setKeyMaterial(long r16, java.security.cert.X509Certificate[] r18, java.security.PrivateKey r19, java.lang.String r20) throws javax.net.ssl.SSLException {
        /*
            r0 = r19
            r1 = 0
            r3 = 0
            tf.C r4 = tf.InterfaceC3327C.DEFAULT     // Catch: java.lang.Throwable -> L86 java.lang.Exception -> L88 javax.net.ssl.SSLException -> L8a
            r5 = 1
            r6 = r18
            io.netty.handler.ssl.s0 r3 = io.netty.handler.ssl.AbstractC2249w0.toPEM(r4, r5, r6)     // Catch: java.lang.Throwable -> L86 java.lang.Exception -> L88 javax.net.ssl.SSLException -> L8a
            io.netty.handler.ssl.s0 r6 = r3.retain()     // Catch: java.lang.Throwable -> L74 java.lang.Exception -> L7a javax.net.ssl.SSLException -> L80
            long r14 = toBIO(r4, r6)     // Catch: java.lang.Throwable -> L74 java.lang.Exception -> L7a javax.net.ssl.SSLException -> L80
            io.netty.handler.ssl.s0 r6 = r3.retain()     // Catch: java.lang.Throwable -> L65 java.lang.Exception -> L6a javax.net.ssl.SSLException -> L6f
            long r11 = toBIO(r4, r6)     // Catch: java.lang.Throwable -> L65 java.lang.Exception -> L6a javax.net.ssl.SSLException -> L6f
            if (r0 == 0) goto L2e
            long r1 = toBIO(r4, r0)     // Catch: java.lang.Throwable -> L25 java.lang.Exception -> L28 javax.net.ssl.SSLException -> L2b
            goto L2e
        L25:
            r0 = move-exception
            goto L95
        L28:
            r0 = move-exception
            goto L8c
        L2b:
            r0 = move-exception
            goto L94
        L2e:
            if (r20 != 0) goto L34
            java.lang.String r0 = ""
            r13 = r0
            goto L36
        L34:
            r13 = r20
        L36:
            r7 = r16
            r9 = r14
            r18 = r3
            r3 = r11
            r11 = r1
            io.netty.internal.tcnative.SSLContext.setCertificateBio(r7, r9, r11, r13)     // Catch: java.lang.Throwable -> L56 java.lang.Exception -> L5b javax.net.ssl.SSLException -> L60
            r6 = r16
            io.netty.internal.tcnative.SSLContext.setCertificateChainBio(r6, r3, r5)     // Catch: java.lang.Throwable -> L56 java.lang.Exception -> L5b javax.net.ssl.SSLException -> L60
            freeBio(r1)
            freeBio(r14)
            freeBio(r3)
            r3 = r18
            io.netty.util.c r3 = (io.netty.util.AbstractC2258c) r3
            r3.release()
            return
        L56:
            r0 = move-exception
            r11 = r3
            r3 = r18
            goto L95
        L5b:
            r0 = move-exception
            r11 = r3
            r3 = r18
            goto L8c
        L60:
            r0 = move-exception
            r11 = r3
            r3 = r18
            goto L94
        L65:
            r0 = move-exception
            r18 = r3
            r11 = r1
            goto L95
        L6a:
            r0 = move-exception
            r18 = r3
            r11 = r1
            goto L8c
        L6f:
            r0 = move-exception
            r18 = r3
            r11 = r1
            goto L94
        L74:
            r0 = move-exception
            r18 = r3
        L77:
            r11 = r1
            r14 = r11
            goto L95
        L7a:
            r0 = move-exception
            r18 = r3
        L7d:
            r11 = r1
            r14 = r11
            goto L8c
        L80:
            r0 = move-exception
            r18 = r3
        L83:
            r11 = r1
            r14 = r11
            goto L94
        L86:
            r0 = move-exception
            goto L77
        L88:
            r0 = move-exception
            goto L7d
        L8a:
            r0 = move-exception
            goto L83
        L8c:
            javax.net.ssl.SSLException r4 = new javax.net.ssl.SSLException     // Catch: java.lang.Throwable -> L25
            java.lang.String r5 = "failed to set certificate and key"
            r4.<init>(r5, r0)     // Catch: java.lang.Throwable -> L25
            throw r4     // Catch: java.lang.Throwable -> L25
        L94:
            throw r0     // Catch: java.lang.Throwable -> L25
        L95:
            freeBio(r1)
            freeBio(r14)
            freeBio(r11)
            if (r3 == 0) goto La5
            io.netty.util.c r3 = (io.netty.util.AbstractC2258c) r3
            r3.release()
        La5:
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: io.netty.handler.ssl.H0.setKeyMaterial(long, java.security.cert.X509Certificate[], java.security.PrivateKey, java.lang.String):void");
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static long toBIO(InterfaceC3327C interfaceC3327C, InterfaceC2241s0 interfaceC2241s0) throws Exception {
        long newBIO;
        try {
            ByteBuf content = interfaceC2241s0.content();
            if (content.isDirect()) {
                newBIO = newBIO(content.retainedSlice());
            } else {
                ByteBuf directBuffer = ((AbstractC3354c) interfaceC3327C).directBuffer(content.readableBytes());
                try {
                    directBuffer.writeBytes(content, content.readerIndex(), content.readableBytes());
                    newBIO = newBIO(directBuffer.retainedSlice());
                    try {
                        if (interfaceC2241s0.isSensitive()) {
                            F1.zeroout(directBuffer);
                        }
                        directBuffer.release();
                    } finally {
                    }
                } catch (Throwable th2) {
                    try {
                        if (interfaceC2241s0.isSensitive()) {
                            F1.zeroout(directBuffer);
                        }
                        throw th2;
                    } finally {
                    }
                }
            }
            return newBIO;
        } finally {
            ((AbstractC2258c) interfaceC2241s0).release();
        }
    }

    public static long toBIO(InterfaceC3327C interfaceC3327C, PrivateKey privateKey) throws Exception {
        if (privateKey == null) {
            return 0L;
        }
        io.netty.util.H pem = C2243t0.toPEM(interfaceC3327C, true, privateKey);
        try {
            return toBIO(interfaceC3327C, pem.retain());
        } finally {
            ((AbstractC2258c) pem).release();
        }
    }

    public static long toBIO(InterfaceC3327C interfaceC3327C, X509Certificate... x509CertificateArr) throws Exception {
        if (x509CertificateArr == null) {
            return 0L;
        }
        Bf.B.checkNonEmpty(x509CertificateArr, "certChain");
        io.netty.util.H pem = AbstractC2249w0.toPEM(interfaceC3327C, true, x509CertificateArr);
        try {
            return toBIO(interfaceC3327C, pem.retain());
        } finally {
            ((AbstractC2258c) pem).release();
        }
    }

    public static H toNegotiator(AbstractC2207d abstractC2207d) {
        return NONE_PROTOCOL_NEGOTIATOR;
    }

    public static boolean useExtendedTrustManager(X509TrustManager x509TrustManager) {
        return Bf.X.javaVersion() >= 7 && (x509TrustManager instanceof X509ExtendedTrustManager);
    }

    public InterfaceC2210e applicationProtocolNegotiator() {
        return this.apn;
    }

    public int getBioNonApplicationBufferSize() {
        return this.bioNonApplicationBufferSize;
    }

    @Override // io.netty.handler.ssl.AbstractC2200a1
    public final boolean isClient() {
        return this.mode == 0;
    }

    @Override // io.netty.handler.ssl.AbstractC2200a1
    public final SSLEngine newEngine(InterfaceC3327C interfaceC3327C, String str, int i) {
        return newEngine0(interfaceC3327C, str, i, true);
    }

    public SSLEngine newEngine0(InterfaceC3327C interfaceC3327C, String str, int i, boolean z3) {
        return new Q0(this, interfaceC3327C, str, i, z3, true);
    }

    @Override // io.netty.handler.ssl.AbstractC2200a1
    public final B1 newHandler(InterfaceC3327C interfaceC3327C, String str, int i, boolean z3) {
        return new B1(newEngine0(interfaceC3327C, str, i, false), z3);
    }

    @Override // io.netty.util.H
    public final int refCnt() {
        return this.refCnt.refCnt();
    }

    @Override // io.netty.util.H
    public final boolean release() {
        return this.refCnt.release();
    }

    @Override // io.netty.util.H
    public final io.netty.util.H retain() {
        this.refCnt.retain();
        return this;
    }

    @Override // io.netty.handler.ssl.AbstractC2200a1
    public abstract AbstractC2211e0 sessionContext();

    @Override // io.netty.util.H
    public final io.netty.util.H touch() {
        this.refCnt.touch();
        return this;
    }

    @Override // io.netty.util.H
    public final io.netty.util.H touch(Object obj) {
        this.refCnt.touch(obj);
        return this;
    }
}
