package org.apache.tomcat.util.net.openssl.panama;

import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.foreign.Arena;
import java.lang.foreign.MemorySegment;
import java.lang.foreign.ValueLayout;
import java.lang.ref.Cleaner;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.ReadOnlyBufferException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionBindingEvent;
import javax.net.ssl.SSLSessionBindingListener;
import javax.net.ssl.SSLSessionContext;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.Asn1Parser;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.openssl.SSL_CTX_set_verify$callback;
import org.apache.tomcat.util.openssl.SSL_set_info_callback$cb;
import org.apache.tomcat.util.openssl.SSL_set_verify$callback;
import org.apache.tomcat.util.openssl.openssl_h;
import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
import org.apache.tomcat.util.openssl.openssl_h_Macros;
import org.apache.tomcat.util.res.StringManager;
import org.hsqldb.Tokens;
import org.springframework.http.HttpHeaders;
import org.springframework.web.servlet.support.WebContentGenerator;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.class */
public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolInfo {
    private static final Log log = LogFactory.getLog((Class<?>) OpenSSLEngine.class);
    private static final StringManager sm = StringManager.getManager((Class<?>) OpenSSLEngine.class);
    private static final Certificate[] EMPTY_CERTIFICATES = new Certificate[0];
    public static final Set<String> AVAILABLE_CIPHER_SUITES;
    public static final Set<String> IMPLEMENTED_PROTOCOLS_SET;
    private static final int MAX_PLAINTEXT_LENGTH = 16384;
    private static final int MAX_COMPRESSED_LENGTH = 17408;
    private static final int MAX_CIPHERTEXT_LENGTH = 18432;
    private static final int MAX_ENCRYPTED_PACKET_LENGTH = 18713;
    private static final String INVALID_CIPHER = "SSL_NULL_WITH_NULL_NULL";
    private static final ConcurrentHashMap<Long, EngineState> states;
    private final EngineState state;
    private final Arena engineArena;
    private final Cleaner.Cleanable cleanable;
    private MemorySegment bufSegment;
    private boolean handshakeFinished;
    private int currentHandshake;
    private boolean receivedShutdown;
    private volatile boolean destroyed;
    private volatile String version;
    private volatile String cipher;
    private volatile String applicationProtocol;
    private volatile Certificate[] peerCerts;
    private boolean isInboundDone;
    private boolean isOutboundDone;
    private boolean engineClosed;
    private final boolean clientMode;
    private final String fallbackApplicationProtocol;
    private final OpenSSLSessionContext sessionContext;
    private final boolean alpn;
    private final boolean initialized;
    private final boolean certificateVerificationOptionalNoCA;
    private final OpenSSLSession session;
    private static final int ASN1_SEQUENCE = 48;
    private static final int ASN1_OID = 6;
    private static final int ASN1_STRING = 134;
    private static final byte[] OCSP_OID;
    private Accepted accepted = Accepted.NOT;
    private volatile ClientAuthMode clientAuth = ClientAuthMode.NONE;
    private boolean sendHandshakeError = false;
    private String selectedProtocol = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$Accepted.class */
    public enum Accepted {
        NOT,
        IMPLICIT,
        EXPLICIT
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$ClientAuthMode.class */
    public enum ClientAuthMode {
        NONE,
        OPTIONAL,
        REQUIRE
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$EngineState.class */
    public static class EngineState implements Runnable {
        private final MemorySegment ssl;
        private final MemorySegment networkBIO;
        private final int certificateVerificationDepth;
        private final boolean noOcspCheck;
        private final Arena stateArena = Arena.ofShared();
        private PHAState phaState = PHAState.NONE;
        private int certificateVerifyMode = 0;
        private int handshakeCount = 0;

        private EngineState(MemorySegment memorySegment, MemorySegment memorySegment2, int i, boolean z) {
            OpenSSLEngine.states.put(Long.valueOf(memorySegment.address()), this);
            this.certificateVerificationDepth = i;
            this.noOcspCheck = z;
            this.ssl = memorySegment.reinterpret(ValueLayout.ADDRESS.byteSize(), this.stateArena, memorySegment3 -> {
                openssl_h.SSL_free(memorySegment3);
            });
            this.networkBIO = memorySegment2.reinterpret(ValueLayout.ADDRESS.byteSize(), this.stateArena, memorySegment4 -> {
                openssl_h.BIO_free(memorySegment4);
            });
        }

        @Override // java.lang.Runnable
        public void run() {
            OpenSSLEngine.states.remove(Long.valueOf(this.ssl.address()));
            this.stateArena.close();
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$InfoCallback.class */
    private static class InfoCallback implements SSL_set_info_callback$cb.Function {
        private InfoCallback() {
        }

        @Override // org.apache.tomcat.util.openssl.SSL_set_info_callback$cb.Function
        public void apply(MemorySegment memorySegment, int i, int i2) {
            EngineState state = OpenSSLEngine.getState(memorySegment);
            if (state == null) {
                OpenSSLEngine.log.warn(OpenSSLEngine.sm.getString("engine.noSSL", Long.valueOf(memorySegment.address())));
            } else if (0 != (i & openssl_h.SSL_CB_HANDSHAKE_DONE())) {
                state.handshakeCount++;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$OpenSSLSession.class */
    public class OpenSSLSession implements SSLSession {
        private Map<String, Object> values;
        private long lastAccessedTime = -1;

        private OpenSSLSession() {
        }

        @Override // javax.net.ssl.SSLSession
        public byte[] getId() {
            byte[] bArr = null;
            synchronized (OpenSSLEngine.this) {
                if (!OpenSSLEngine.this.destroyed) {
                    Arena ofConfined = Arena.ofConfined();
                    try {
                        MemorySegment allocate = ofConfined.allocate(ValueLayout.JAVA_INT);
                        MemorySegment SSL_get_session = openssl_h.SSL_get_session(OpenSSLEngine.this.state.ssl);
                        if (MemorySegment.NULL.equals(SSL_get_session)) {
                            byte[] bArr2 = new byte[0];
                            if (ofConfined != null) {
                                ofConfined.close();
                            }
                            return bArr2;
                        }
                        MemorySegment SSL_SESSION_get_id = openssl_h.SSL_SESSION_get_id(SSL_get_session, allocate);
                        int i = allocate.get(ValueLayout.JAVA_INT, 0L);
                        bArr = i == 0 ? new byte[0] : SSL_SESSION_get_id.reinterpret(i, ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
                        if (ofConfined != null) {
                            ofConfined.close();
                        }
                    } finally {
                    }
                }
                return bArr;
            }
        }

        @Override // javax.net.ssl.SSLSession
        public SSLSessionContext getSessionContext() {
            return OpenSSLEngine.this.sessionContext;
        }

        @Override // javax.net.ssl.SSLSession
        public long getCreationTime() {
            long j = 0;
            synchronized (OpenSSLEngine.this) {
                if (!OpenSSLEngine.this.destroyed) {
                    MemorySegment SSL_get_session = openssl_h.SSL_get_session(OpenSSLEngine.this.state.ssl);
                    if (!MemorySegment.NULL.equals(SSL_get_session)) {
                        j = openssl_h.SSL_SESSION_get_time(SSL_get_session);
                    }
                }
            }
            return j * 1000;
        }

        @Override // javax.net.ssl.SSLSession
        public long getLastAccessedTime() {
            return this.lastAccessedTime > 0 ? this.lastAccessedTime : getCreationTime();
        }

        @Override // javax.net.ssl.SSLSession
        public void invalidate() {
        }

        @Override // javax.net.ssl.SSLSession
        public boolean isValid() {
            return false;
        }

        @Override // javax.net.ssl.SSLSession
        public void putValue(String str, Object obj) {
            if (str == null) {
                throw new IllegalArgumentException(OpenSSLEngine.sm.getString("engine.nullName"));
            }
            if (obj == null) {
                throw new IllegalArgumentException(OpenSSLEngine.sm.getString("engine.nullValue"));
            }
            Map<String, Object> map = this.values;
            if (map == null) {
                HashMap hashMap = new HashMap(2);
                this.values = hashMap;
                map = hashMap;
            }
            Object put = map.put(str, obj);
            if (obj instanceof SSLSessionBindingListener) {
                ((SSLSessionBindingListener) obj).valueBound(new SSLSessionBindingEvent(this, str));
            }
            notifyUnbound(put, str);
        }

        @Override // javax.net.ssl.SSLSession
        public Object getValue(String str) {
            if (str == null) {
                throw new IllegalArgumentException(OpenSSLEngine.sm.getString("engine.nullName"));
            }
            if (this.values == null) {
                return null;
            }
            return this.values.get(str);
        }

        @Override // javax.net.ssl.SSLSession
        public void removeValue(String str) {
            if (str == null) {
                throw new IllegalArgumentException(OpenSSLEngine.sm.getString("engine.nullName"));
            }
            Map<String, Object> map = this.values;
            if (map == null) {
                return;
            }
            notifyUnbound(map.remove(str), str);
        }

        @Override // javax.net.ssl.SSLSession
        public String[] getValueNames() {
            Map<String, Object> map = this.values;
            return (map == null || map.isEmpty()) ? new String[0] : (String[]) map.keySet().toArray(new String[0]);
        }

        private void notifyUnbound(Object obj, String str) {
            if (obj instanceof SSLSessionBindingListener) {
                ((SSLSessionBindingListener) obj).valueUnbound(new SSLSessionBindingEvent(this, str));
            }
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
            byte[][] peerCertChain;
            byte[] peerCertificate;
            Certificate[] certificateArr;
            Certificate[] certificateArr2 = OpenSSLEngine.this.peerCerts;
            if (certificateArr2 == null) {
                synchronized (OpenSSLEngine.this) {
                    if (OpenSSLEngine.this.destroyed || openssl_h.SSL_in_init(OpenSSLEngine.this.state.ssl) != 0) {
                        throw new SSLPeerUnverifiedException(OpenSSLEngine.sm.getString("engine.unverifiedPeer"));
                    }
                    peerCertChain = OpenSSLEngine.this.getPeerCertChain();
                    peerCertificate = !OpenSSLEngine.this.clientMode ? OpenSSLEngine.this.getPeerCertificate() : null;
                }
                if (peerCertChain == null && peerCertificate == null) {
                    return null;
                }
                int i = 0;
                if (peerCertChain != null) {
                    i = 0 + peerCertChain.length;
                }
                int i2 = 0;
                if (peerCertificate != null) {
                    certificateArr = new Certificate[i + 1];
                    i2 = 0 + 1;
                    certificateArr[0] = new OpenSSLX509Certificate(peerCertificate);
                } else {
                    certificateArr = new Certificate[i];
                }
                if (peerCertChain != null) {
                    int i3 = 0;
                    while (i2 < certificateArr.length) {
                        int i4 = i3;
                        i3++;
                        certificateArr[i2] = new OpenSSLX509Certificate(peerCertChain[i4]);
                        i2++;
                    }
                }
                Certificate[] certificateArr3 = certificateArr;
                OpenSSLEngine.this.peerCerts = certificateArr3;
                certificateArr2 = certificateArr3;
            }
            return certificateArr2;
        }

        @Override // javax.net.ssl.SSLSession
        public Certificate[] getLocalCertificates() {
            return OpenSSLEngine.EMPTY_CERTIFICATES;
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
            Certificate[] peerCertificates = getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                return null;
            }
            return principal(peerCertificates);
        }

        @Override // javax.net.ssl.SSLSession
        public Principal getLocalPrincipal() {
            Certificate[] localCertificates = getLocalCertificates();
            if (localCertificates == null || localCertificates.length == 0) {
                return null;
            }
            return principal(localCertificates);
        }

        private Principal principal(Certificate[] certificateArr) {
            return ((X509Certificate) certificateArr[0]).getIssuerX500Principal();
        }

        @Override // javax.net.ssl.SSLSession
        public String getCipherSuite() {
            if (OpenSSLEngine.this.cipher == null) {
                synchronized (OpenSSLEngine.this) {
                    if (!OpenSSLEngine.this.handshakeFinished) {
                        return OpenSSLEngine.INVALID_CIPHER;
                    }
                    if (OpenSSLEngine.this.destroyed) {
                        return OpenSSLEngine.INVALID_CIPHER;
                    }
                    String openSSLToJsse = OpenSSLCipherConfigurationParser.openSSLToJsse(openssl_h.SSL_CIPHER_get_name(openssl_h.SSL_get_current_cipher(OpenSSLEngine.this.state.ssl)).getString(0L));
                    if (openSSLToJsse != null) {
                        OpenSSLEngine.this.cipher = openSSLToJsse;
                    }
                }
            }
            return OpenSSLEngine.this.cipher;
        }

        @Override // javax.net.ssl.SSLSession
        public String getProtocol() {
            String str = OpenSSLEngine.this.applicationProtocol;
            if (str == null) {
                str = OpenSSLEngine.this.fallbackApplicationProtocol;
                if (str != null) {
                    OpenSSLEngine.this.applicationProtocol = str.replace(':', '_');
                } else {
                    str = "";
                    OpenSSLEngine.this.applicationProtocol = "";
                }
            }
            String str2 = null;
            synchronized (OpenSSLEngine.this) {
                if (!OpenSSLEngine.this.destroyed) {
                    str2 = openssl_h.SSL_get_version(OpenSSLEngine.this.state.ssl).getString(0L);
                }
            }
            return str.isEmpty() ? str2 : str2 + ":" + str;
        }

        @Override // javax.net.ssl.SSLSession
        public String getPeerHost() {
            return null;
        }

        @Override // javax.net.ssl.SSLSession
        public int getPeerPort() {
            return 0;
        }

        @Override // javax.net.ssl.SSLSession
        public int getPacketBufferSize() {
            return OpenSSLEngine.MAX_ENCRYPTED_PACKET_LENGTH;
        }

        @Override // javax.net.ssl.SSLSession
        public int getApplicationBufferSize() {
            return 16384;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$PHAState.class */
    public enum PHAState {
        NONE,
        START,
        COMPLETE
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.25.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine$VerifyCallback.class */
    public static class VerifyCallback implements SSL_set_verify$callback.Function, SSL_CTX_set_verify$callback.Function {
        @Override // org.apache.tomcat.util.openssl.SSL_set_verify$callback.Function, org.apache.tomcat.util.openssl.SSL_CTX_set_verify$callback.Function
        public int apply(int i, MemorySegment memorySegment) {
            MemorySegment X509_STORE_CTX_get_ex_data = openssl_h.X509_STORE_CTX_get_ex_data(memorySegment, openssl_h.SSL_get_ex_data_X509_STORE_CTX_idx());
            EngineState state = OpenSSLEngine.getState(X509_STORE_CTX_get_ex_data);
            if (state == null) {
                OpenSSLEngine.log.warn(OpenSSLEngine.sm.getString("engine.noSSL", Long.valueOf(X509_STORE_CTX_get_ex_data.address())));
                return 0;
            }
            if (OpenSSLEngine.log.isTraceEnabled()) {
                OpenSSLEngine.log.trace("Verification in engine with mode [" + state.certificateVerifyMode + "] for " + String.valueOf(state.ssl));
            }
            int i2 = i;
            int X509_STORE_CTX_get_error = openssl_h.X509_STORE_CTX_get_error(memorySegment);
            int X509_STORE_CTX_get_error_depth = openssl_h.X509_STORE_CTX_get_error_depth(memorySegment);
            state.phaState = PHAState.COMPLETE;
            if (state.certificateVerifyMode == -1 || state.certificateVerifyMode == openssl_h.SSL_VERIFY_NONE()) {
                return 1;
            }
            boolean z = X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT() || X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN() || X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY() || X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_CERT_UNTRUSTED() || X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE();
            if (z && state.certificateVerifyMode == 3) {
                i2 = 1;
                openssl_h.SSL_set_verify_result(state.ssl, openssl_h.X509_V_OK());
            }
            if (i2 == 0 && X509_STORE_CTX_get_error == openssl_h.X509_V_ERR_CRL_HAS_EXPIRED()) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment, -1);
            }
            if (!state.noOcspCheck && i2 > 0) {
                if (!z) {
                    int processOCSP = OpenSSLEngine.processOCSP(memorySegment);
                    if (processOCSP == openssl_h.V_OCSP_CERTSTATUS_REVOKED()) {
                        i2 = 0;
                        openssl_h.X509_STORE_CTX_get_error(memorySegment);
                    } else if (processOCSP == openssl_h.V_OCSP_CERTSTATUS_UNKNOWN() && openssl_h.X509_STORE_CTX_get_error(memorySegment) <= 0) {
                        i2 = 0;
                    }
                } else if (state.certificateVerifyMode != 3) {
                    openssl_h.X509_STORE_CTX_set_error(memorySegment, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
                    openssl_h.X509_V_ERR_APPLICATION_VERIFICATION();
                    i2 = 0;
                }
            }
            if (X509_STORE_CTX_get_error_depth > state.certificateVerificationDepth) {
                i2 = 0;
            }
            return i2;
        }
    }

    private static EngineState getState(MemorySegment memorySegment) {
        return states.get(Long.valueOf(memorySegment.address()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenSSLEngine(Cleaner cleaner, MemorySegment memorySegment, String str, boolean z, OpenSSLSessionContext openSSLSessionContext, boolean z2, boolean z3, int i, boolean z4, boolean z5) {
        this.bufSegment = null;
        if (memorySegment == null) {
            throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
        }
        this.engineArena = Arena.ofAuto();
        this.bufSegment = this.engineArena.allocate(18713L);
        this.session = new OpenSSLSession();
        MemorySegment SSL_new = openssl_h.SSL_new(memorySegment);
        openssl_h.SSL_set_info_callback(SSL_new, SSL_set_info_callback$cb.allocate(new InfoCallback(), this.engineArena));
        if (z) {
            openssl_h.SSL_set_connect_state(SSL_new);
        } else {
            openssl_h.SSL_set_accept_state(SSL_new);
        }
        openssl_h.SSL_set_verify_result(SSL_new, openssl_h.X509_V_OK());
        Arena ofConfined = Arena.ofConfined();
        try {
            MemorySegment allocate = ofConfined.allocate(ValueLayout.ADDRESS);
            MemorySegment allocate2 = ofConfined.allocate(ValueLayout.ADDRESS);
            openssl_h.BIO_new_bio_pair(allocate, 0L, allocate2, 0L);
            MemorySegment memorySegment2 = allocate.get(ValueLayout.ADDRESS, 0L);
            MemorySegment memorySegment3 = allocate2.get(ValueLayout.ADDRESS, 0L);
            openssl_h.SSL_set_bio(SSL_new, memorySegment2, memorySegment2);
            this.state = new EngineState(SSL_new, memorySegment3, i, z5);
            if (ofConfined != null) {
                ofConfined.close();
            }
            this.fallbackApplicationProtocol = str;
            this.clientMode = z;
            this.sessionContext = openSSLSessionContext;
            this.alpn = z2;
            this.initialized = z3;
            this.certificateVerificationOptionalNoCA = z4;
            this.cleanable = cleaner.register(this, this.state);
        } catch (Throwable th) {
            if (ofConfined != null) {
                try {
                    ofConfined.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.apache.tomcat.util.net.SSLUtil.ProtocolInfo
    public String getNegotiatedProtocol() {
        return this.selectedProtocol;
    }

    public synchronized void shutdown() {
        if (this.destroyed) {
            return;
        }
        this.destroyed = true;
        this.cleanable.clean();
        this.engineClosed = true;
        this.isOutboundDone = true;
        this.isInboundDone = true;
        this.bufSegment = null;
    }

    private int writePlaintextData(MemorySegment memorySegment, ByteBuffer byteBuffer) throws SSLException {
        clearLastError();
        int position = byteBuffer.position();
        int min = Math.min(byteBuffer.remaining(), 16384);
        MemorySegment ofBuffer = byteBuffer.isDirect() ? MemorySegment.ofBuffer(byteBuffer) : this.bufSegment;
        if (!byteBuffer.isDirect()) {
            MemorySegment.copy(byteBuffer.array(), position, this.bufSegment, ValueLayout.JAVA_BYTE, 0L, min);
        }
        int SSL_write = openssl_h.SSL_write(memorySegment, ofBuffer, min);
        if (SSL_write > 0) {
            byteBuffer.position(position + SSL_write);
            return SSL_write;
        }
        checkLastError();
        return 0;
    }

    private int writeEncryptedData(MemorySegment memorySegment, ByteBuffer byteBuffer) throws SSLException {
        clearLastError();
        int position = byteBuffer.position();
        int remaining = byteBuffer.remaining();
        MemorySegment ofBuffer = byteBuffer.isDirect() ? MemorySegment.ofBuffer(byteBuffer) : this.bufSegment;
        if (!byteBuffer.isDirect()) {
            MemorySegment.copy(byteBuffer.array(), position, this.bufSegment, ValueLayout.JAVA_BYTE, 0L, remaining);
        }
        int BIO_write = openssl_h.BIO_write(memorySegment, ofBuffer, remaining);
        if (BIO_write > 0) {
            byteBuffer.position(position + BIO_write);
            return BIO_write;
        }
        checkLastError();
        return 0;
    }

    private int readPlaintextData(MemorySegment memorySegment, ByteBuffer byteBuffer) throws SSLException {
        clearLastError();
        int position = byteBuffer.position();
        int min = Math.min(byteBuffer.remaining(), MAX_ENCRYPTED_PACKET_LENGTH);
        MemorySegment ofBuffer = byteBuffer.isDirect() ? MemorySegment.ofBuffer(byteBuffer) : this.bufSegment;
        int SSL_read = openssl_h.SSL_read(memorySegment, ofBuffer, min);
        if (SSL_read <= 0) {
            checkLastError();
            return 0;
        }
        if (!byteBuffer.isDirect()) {
            MemorySegment.copy(ofBuffer, ValueLayout.JAVA_BYTE, 0L, byteBuffer.array(), position, SSL_read);
        }
        byteBuffer.position(position + SSL_read);
        return SSL_read;
    }

    private int readEncryptedData(MemorySegment memorySegment, ByteBuffer byteBuffer, int i) throws SSLException {
        clearLastError();
        int position = byteBuffer.position();
        MemorySegment ofBuffer = byteBuffer.isDirect() ? MemorySegment.ofBuffer(byteBuffer) : this.bufSegment;
        int BIO_read = openssl_h.BIO_read(memorySegment, ofBuffer, i);
        if (BIO_read <= 0) {
            checkLastError();
            return 0;
        }
        if (!byteBuffer.isDirect()) {
            MemorySegment.copy(ofBuffer, ValueLayout.JAVA_BYTE, 0L, byteBuffer.array(), position, BIO_read);
        }
        byteBuffer.position(position + BIO_read);
        return BIO_read;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized SSLEngineResult wrap(ByteBuffer[] byteBufferArr, int i, int i2, ByteBuffer byteBuffer) throws SSLException {
        if (this.destroyed) {
            return new SSLEngineResult(SSLEngineResult.Status.CLOSED, SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING, 0, 0);
        }
        if (byteBufferArr == null || byteBuffer == null) {
            throw new IllegalArgumentException(sm.getString("engine.nullBuffer"));
        }
        if (i >= byteBufferArr.length || i + i2 > byteBufferArr.length) {
            throw new IndexOutOfBoundsException(sm.getString("engine.invalidBufferArray", Integer.toString(i), Integer.toString(i2), Integer.toString(byteBufferArr.length)));
        }
        if (byteBuffer.isReadOnly()) {
            throw new ReadOnlyBufferException();
        }
        if (this.accepted == Accepted.NOT) {
            beginHandshakeImplicitly();
        }
        SSLEngineResult.HandshakeStatus handshakeStatus = getHandshakeStatus();
        if ((!this.handshakeFinished || this.engineClosed) && handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
            return new SSLEngineResult(getEngineStatus(), SSLEngineResult.HandshakeStatus.NEED_UNWRAP, 0, 0);
        }
        int BIO_ctrl_pending = (int) openssl_h.BIO_ctrl_pending(this.state.networkBIO);
        if (BIO_ctrl_pending > 0) {
            if (byteBuffer.remaining() < BIO_ctrl_pending) {
                return new SSLEngineResult(SSLEngineResult.Status.BUFFER_OVERFLOW, handshakeStatus, 0, 0);
            }
            try {
                int readEncryptedData = readEncryptedData(this.state.networkBIO, byteBuffer, BIO_ctrl_pending);
                if (this.isOutboundDone) {
                    shutdown();
                }
                return new SSLEngineResult(getEngineStatus(), getHandshakeStatus(), 0, readEncryptedData);
            } catch (Exception e) {
                throw new SSLException(e);
            }
        }
        int i3 = 0;
        int i4 = i + i2;
        for (int i5 = i; i5 < i4; i5++) {
            ByteBuffer byteBuffer2 = byteBufferArr[i5];
            if (byteBuffer2 == null) {
                throw new IllegalArgumentException(sm.getString("engine.nullBufferInArray"));
            }
            while (byteBuffer2.hasRemaining()) {
                try {
                    int writePlaintextData = writePlaintextData(this.state.ssl, byteBuffer2);
                    i3 += writePlaintextData;
                    if (writePlaintextData == 0) {
                        throw new IllegalStateException(sm.getString("engine.failedToWriteBytes"));
                    }
                    int BIO_ctrl_pending2 = (int) openssl_h.BIO_ctrl_pending(this.state.networkBIO);
                    if (BIO_ctrl_pending2 > 0) {
                        if (byteBuffer.remaining() < BIO_ctrl_pending2) {
                            return new SSLEngineResult(SSLEngineResult.Status.BUFFER_OVERFLOW, getHandshakeStatus(), i3, 0);
                        }
                        try {
                            return new SSLEngineResult(getEngineStatus(), getHandshakeStatus(), i3, 0 + readEncryptedData(this.state.networkBIO, byteBuffer, BIO_ctrl_pending2));
                        } catch (Exception e2) {
                            throw new SSLException(e2);
                        }
                    }
                } catch (Exception e3) {
                    throw new SSLException(e3);
                }
            }
        }
        return new SSLEngineResult(getEngineStatus(), getHandshakeStatus(), i3, 0);
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBufferArr, int i, int i2) throws SSLException {
        if (this.destroyed) {
            return new SSLEngineResult(SSLEngineResult.Status.CLOSED, SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING, 0, 0);
        }
        if (byteBuffer == null || byteBufferArr == null) {
            throw new IllegalArgumentException(sm.getString("engine.nullBuffer"));
        }
        if (i >= byteBufferArr.length || i + i2 > byteBufferArr.length) {
            throw new IndexOutOfBoundsException(sm.getString("engine.invalidBufferArray", Integer.toString(i), Integer.toString(i2), Integer.toString(byteBufferArr.length)));
        }
        int i3 = 0;
        int i4 = i + i2;
        for (int i5 = i; i5 < i4; i5++) {
            ByteBuffer byteBuffer2 = byteBufferArr[i5];
            if (byteBuffer2 == null) {
                throw new IllegalArgumentException(sm.getString("engine.nullBufferInArray"));
            }
            if (byteBuffer2.isReadOnly()) {
                throw new ReadOnlyBufferException();
            }
            i3 += byteBuffer2.remaining();
        }
        if (this.accepted == Accepted.NOT) {
            beginHandshakeImplicitly();
        }
        SSLEngineResult.HandshakeStatus handshakeStatus = getHandshakeStatus();
        if ((!this.handshakeFinished || this.engineClosed) && handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            return new SSLEngineResult(getEngineStatus(), SSLEngineResult.HandshakeStatus.NEED_WRAP, 0, 0);
        }
        if (byteBuffer.remaining() > MAX_ENCRYPTED_PACKET_LENGTH) {
            this.isInboundDone = true;
            this.isOutboundDone = true;
            this.engineClosed = true;
            shutdown();
            throw new SSLException(sm.getString("engine.oversizedPacket"));
        }
        try {
            int writeEncryptedData = writeEncryptedData(this.state.networkBIO, byteBuffer);
            int pendingReadableBytesInSSL = pendingReadableBytesInSSL();
            if (!this.handshakeFinished) {
                pendingReadableBytesInSSL = 0;
            }
            int i6 = 0;
            int i7 = i;
            if (i3 == 0) {
                return new SSLEngineResult(SSLEngineResult.Status.BUFFER_OVERFLOW, getHandshakeStatus(), writeEncryptedData, 0);
            }
            while (pendingReadableBytesInSSL > 0) {
                if (i7 == i4) {
                    throw new IllegalStateException(sm.getString("engine.invalidDestinationBuffersState"));
                }
                while (i7 < i4) {
                    ByteBuffer byteBuffer3 = byteBufferArr[i7];
                    if (!byteBuffer3.hasRemaining()) {
                        i7++;
                    } else {
                        if (pendingReadableBytesInSSL <= 0) {
                            break;
                        }
                        try {
                            int readPlaintextData = readPlaintextData(this.state.ssl, byteBuffer3);
                            if (readPlaintextData == 0) {
                                throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
                            }
                            i6 += readPlaintextData;
                            pendingReadableBytesInSSL -= readPlaintextData;
                            i3 -= readPlaintextData;
                            if (!byteBuffer3.hasRemaining()) {
                                i7++;
                            }
                        } catch (Exception e) {
                            throw new SSLException(e);
                        }
                    }
                }
                if (i3 == 0) {
                    break;
                }
                if (pendingReadableBytesInSSL == 0) {
                    pendingReadableBytesInSSL = pendingReadableBytesInSSL();
                }
            }
            if (!this.receivedShutdown && (openssl_h.SSL_get_shutdown(this.state.ssl) & openssl_h.SSL_RECEIVED_SHUTDOWN()) == openssl_h.SSL_RECEIVED_SHUTDOWN()) {
                this.receivedShutdown = true;
                closeOutbound();
                closeInbound();
            }
            return (i6 != 0 || (writeEncryptedData != 0 && (writeEncryptedData <= 0 || byteBuffer.hasRemaining() || !this.handshakeFinished))) ? new SSLEngineResult(getEngineStatus(), getHandshakeStatus(), writeEncryptedData, i6) : new SSLEngineResult(SSLEngineResult.Status.BUFFER_UNDERFLOW, getHandshakeStatus(), writeEncryptedData, 0);
        } catch (Exception e2) {
            throw new SSLException(e2);
        }
    }

    private int pendingReadableBytesInSSL() throws SSLException {
        clearLastError();
        int SSL_read = openssl_h.SSL_read(this.state.ssl, MemorySegment.NULL, 0);
        if (SSL_read <= 0) {
            checkLastError();
        }
        int SSL_pending = openssl_h.SSL_pending(this.state.ssl);
        if (Constants.SSL_PROTO_TLSv1.equals(this.version) && SSL_read == 0 && SSL_pending == 0) {
            if (openssl_h.SSL_read(this.state.ssl, MemorySegment.NULL, 0) <= 0) {
                checkLastError();
            }
            SSL_pending = openssl_h.SSL_pending(this.state.ssl);
        }
        return SSL_pending;
    }

    @Override // javax.net.ssl.SSLEngine
    public Runnable getDelegatedTask() {
        return null;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized void closeInbound() throws SSLException {
        if (this.isInboundDone) {
            return;
        }
        this.isInboundDone = true;
        this.engineClosed = true;
        shutdown();
        if (this.accepted != Accepted.NOT && !this.receivedShutdown) {
            throw new SSLException(sm.getString("engine.inboundClose"));
        }
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized boolean isInboundDone() {
        return this.isInboundDone || this.engineClosed;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized void closeOutbound() {
        if (this.isOutboundDone) {
            return;
        }
        this.isOutboundDone = true;
        this.engineClosed = true;
        if (this.accepted == Accepted.NOT || this.destroyed) {
            shutdown();
        } else if ((openssl_h.SSL_get_shutdown(this.state.ssl) & openssl_h.SSL_SENT_SHUTDOWN()) != openssl_h.SSL_SENT_SHUTDOWN()) {
            openssl_h.SSL_shutdown(this.state.ssl);
        }
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized boolean isOutboundDone() {
        return this.isOutboundDone;
    }

    @Override // javax.net.ssl.SSLEngine
    public String[] getSupportedCipherSuites() {
        return (String[]) AVAILABLE_CIPHER_SUITES.toArray(new String[0]);
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized String[] getEnabledCipherSuites() {
        if (this.destroyed) {
            return new String[0];
        }
        String[] ciphers = OpenSSLLibrary.getCiphers(this.state.ssl);
        if (ciphers == null) {
            return new String[0];
        }
        for (int i = 0; i < ciphers.length; i++) {
            String openSSLToJsse = OpenSSLCipherConfigurationParser.openSSLToJsse(ciphers[i]);
            if (openSSLToJsse != null) {
                ciphers[i] = openSSLToJsse;
            }
        }
        return ciphers;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized void setEnabledCipherSuites(String[] strArr) {
        if (this.initialized) {
            return;
        }
        if (strArr == null) {
            throw new IllegalArgumentException(sm.getString("engine.nullCipherSuite"));
        }
        if (this.destroyed) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        for (String str : strArr) {
            if (str == null) {
                break;
            }
            String jsseToOpenSSL = OpenSSLCipherConfigurationParser.jsseToOpenSSL(str);
            if (!AVAILABLE_CIPHER_SUITES.contains(str)) {
                log.debug(sm.getString("engine.unsupportedCipher", str, jsseToOpenSSL));
            }
            if (jsseToOpenSSL != null) {
                str = jsseToOpenSSL;
            }
            sb.append(str);
            sb.append(':');
        }
        if (sb.length() == 0) {
            throw new IllegalArgumentException(sm.getString("engine.emptyCipherSuite"));
        }
        sb.setLength(sb.length() - 1);
        String sb2 = sb.toString();
        try {
            Arena ofConfined = Arena.ofConfined();
            try {
                openssl_h.SSL_set_cipher_list(this.state.ssl, ofConfined.allocateFrom(sb2));
                if (ofConfined != null) {
                    ofConfined.close();
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalStateException(sm.getString("engine.failedCipherSuite", sb2), e);
        }
    }

    @Override // javax.net.ssl.SSLEngine
    public String[] getSupportedProtocols() {
        return (String[]) IMPLEMENTED_PROTOCOLS_SET.toArray(new String[0]);
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized String[] getEnabledProtocols() {
        if (this.destroyed) {
            return new String[0];
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(Constants.SSL_PROTO_SSLv2Hello);
        long SSL_get_options = openssl_h.SSL_get_options(this.state.ssl);
        if ((SSL_get_options & openssl_h.SSL_OP_NO_TLSv1()) == 0) {
            arrayList.add(Constants.SSL_PROTO_TLSv1);
        }
        if ((SSL_get_options & openssl_h.SSL_OP_NO_TLSv1_1()) == 0) {
            arrayList.add(Constants.SSL_PROTO_TLSv1_1);
        }
        if ((SSL_get_options & openssl_h.SSL_OP_NO_TLSv1_2()) == 0) {
            arrayList.add(Constants.SSL_PROTO_TLSv1_2);
        }
        if ((SSL_get_options & openssl_h.SSL_OP_NO_TLSv1_3()) == 0) {
            arrayList.add(Constants.SSL_PROTO_TLSv1_3);
        }
        if ((SSL_get_options & openssl_h.SSL_OP_NO_SSLv2()) == 0) {
            arrayList.add(Constants.SSL_PROTO_SSLv2);
        }
        if ((SSL_get_options & openssl_h.SSL_OP_NO_SSLv3()) == 0) {
            arrayList.add(Constants.SSL_PROTO_SSLv3);
        }
        int size = arrayList.size();
        return size == 0 ? new String[0] : (String[]) arrayList.toArray(new String[size]);
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized void setEnabledProtocols(String[] strArr) {
        if (this.initialized) {
            return;
        }
        if (strArr == null) {
            throw new IllegalArgumentException();
        }
        if (this.destroyed) {
            return;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        boolean z5 = false;
        boolean z6 = false;
        for (String str : strArr) {
            if (!IMPLEMENTED_PROTOCOLS_SET.contains(str)) {
                throw new IllegalArgumentException(sm.getString("engine.unsupportedProtocol", str));
            }
            if (str.equals(Constants.SSL_PROTO_SSLv2)) {
                z = true;
            } else if (str.equals(Constants.SSL_PROTO_SSLv3)) {
                z2 = true;
            } else if (str.equals(Constants.SSL_PROTO_TLSv1)) {
                z3 = true;
            } else if (str.equals(Constants.SSL_PROTO_TLSv1_1)) {
                z4 = true;
            } else if (str.equals(Constants.SSL_PROTO_TLSv1_2)) {
                z5 = true;
            } else if (str.equals(Constants.SSL_PROTO_TLSv1_3)) {
                z6 = true;
            }
        }
        openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_ALL());
        if (!z) {
            openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_SSLv2());
        }
        if (!z2) {
            openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_SSLv3());
        }
        if (!z3) {
            openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_TLSv1());
        }
        if (!z4) {
            openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_TLSv1_1());
        }
        if (!z5) {
            openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_TLSv1_2());
        }
        if (z6) {
            return;
        }
        openssl_h.SSL_set_options(this.state.ssl, openssl_h.SSL_OP_NO_TLSv1_3());
    }

    @Override // javax.net.ssl.SSLEngine
    public SSLSession getSession() {
        return this.session;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized void beginHandshake() throws SSLException {
        if (this.engineClosed || this.destroyed) {
            throw new SSLException(sm.getString("engine.engineClosed"));
        }
        switch (this.accepted) {
            case NOT:
                handshake();
                this.accepted = Accepted.EXPLICIT;
                return;
            case IMPLICIT:
                this.accepted = Accepted.EXPLICIT;
                return;
            case EXPLICIT:
                renegotiate();
                return;
            default:
                return;
        }
    }

    private byte[] getPeerCertificate() {
        Arena ofConfined = Arena.ofConfined();
        try {
            MemorySegment SSL_get1_peer_certificate = OpenSSLContext.OPENSSL_3 ? openssl_h.SSL_get1_peer_certificate(this.state.ssl) : openssl_h_Compatibility.SSL_get_peer_certificate(this.state.ssl);
            MemorySegment allocateFrom = ofConfined.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
            int i2d_X509 = openssl_h.i2d_X509(SSL_get1_peer_certificate, allocateFrom);
            if (i2d_X509 <= 0) {
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return null;
            }
            MemorySegment memorySegment = allocateFrom.get(ValueLayout.ADDRESS, 0L);
            byte[] array = memorySegment.reinterpret(i2d_X509, ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
            openssl_h.X509_free(SSL_get1_peer_certificate);
            openssl_h_Macros.OPENSSL_free(memorySegment);
            if (ofConfined != null) {
                ofConfined.close();
            }
            return array;
        } catch (Throwable th) {
            if (ofConfined != null) {
                try {
                    ofConfined.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX WARN: Type inference failed for: r0v8, types: [byte[], byte[][]] */
    private byte[][] getPeerCertChain() {
        MemorySegment SSL_get_peer_cert_chain = openssl_h.SSL_get_peer_cert_chain(this.state.ssl);
        int OPENSSL_sk_num = openssl_h.OPENSSL_sk_num(SSL_get_peer_cert_chain);
        if (OPENSSL_sk_num <= 0) {
            return null;
        }
        ?? r0 = new byte[OPENSSL_sk_num];
        Arena ofConfined = Arena.ofConfined();
        for (int i = 0; i < OPENSSL_sk_num; i++) {
            try {
                MemorySegment OPENSSL_sk_value = openssl_h.OPENSSL_sk_value(SSL_get_peer_cert_chain, i);
                MemorySegment allocateFrom = ofConfined.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
                int i2d_X509 = openssl_h.i2d_X509(OPENSSL_sk_value, allocateFrom);
                if (i2d_X509 < 0) {
                    r0[i] = new byte[0];
                } else {
                    MemorySegment memorySegment = allocateFrom.get(ValueLayout.ADDRESS, 0L);
                    r0[i] = memorySegment.reinterpret(i2d_X509, ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
                    openssl_h_Macros.OPENSSL_free(memorySegment);
                }
            } catch (Throwable th) {
                if (ofConfined != null) {
                    try {
                        ofConfined.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (ofConfined != null) {
            ofConfined.close();
        }
        return r0;
    }

    private String getProtocolNegotiated() {
        Arena ofConfined = Arena.ofConfined();
        try {
            MemorySegment allocate = ofConfined.allocate(ValueLayout.JAVA_INT);
            MemorySegment allocateFrom = ofConfined.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
            openssl_h.SSL_get0_alpn_selected(this.state.ssl, allocateFrom, allocate);
            if (MemorySegment.NULL.equals(allocateFrom)) {
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return null;
            }
            int i = allocate.get(ValueLayout.JAVA_INT, 0L);
            if (i == 0) {
                if (ofConfined != null) {
                    ofConfined.close();
                }
                return null;
            }
            byte[] array = allocateFrom.get(ValueLayout.ADDRESS, 0L).reinterpret(i, ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
            if (log.isTraceEnabled()) {
                log.trace("Protocol negotiated [" + new String(array) + "]");
            }
            String str = new String(array);
            if (ofConfined != null) {
                ofConfined.close();
            }
            return str;
        } catch (Throwable th) {
            if (ofConfined != null) {
                try {
                    ofConfined.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void beginHandshakeImplicitly() throws SSLException {
        handshake();
        this.accepted = Accepted.IMPLICIT;
    }

    private void handshake() throws SSLException {
        this.currentHandshake = this.state.handshakeCount;
        clearLastError();
        if (openssl_h.SSL_do_handshake(this.state.ssl) <= 0) {
            checkLastError();
            return;
        }
        if (this.alpn) {
            this.selectedProtocol = getProtocolNegotiated();
        }
        this.session.lastAccessedTime = System.currentTimeMillis();
        this.handshakeFinished = true;
    }

    private void renegotiate() throws SSLException {
        int SSL_renegotiate;
        if (log.isTraceEnabled()) {
            log.trace("Start renegotiate");
        }
        clearLastError();
        if (openssl_h.SSL_get_version(this.state.ssl).getString(0L).equals(Constants.SSL_PROTO_TLSv1_3)) {
            this.state.phaState = PHAState.START;
            SSL_renegotiate = openssl_h.SSL_verify_client_post_handshake(this.state.ssl);
        } else {
            SSL_renegotiate = openssl_h.SSL_renegotiate(this.state.ssl);
        }
        if (SSL_renegotiate <= 0) {
            checkLastError();
        }
        this.handshakeFinished = false;
        this.peerCerts = null;
        this.currentHandshake = this.state.handshakeCount;
        if (openssl_h.SSL_do_handshake(this.state.ssl) <= 0) {
            checkLastError();
        }
    }

    private void checkLastError() throws SSLException {
        String lastError = OpenSSLContext.getLastError();
        if (lastError != null) {
            if (this.handshakeFinished) {
                throw new SSLException(lastError);
            }
            this.sendHandshakeError = true;
        }
    }

    private static void clearLastError() {
        OpenSSLContext.getLastError();
    }

    private SSLEngineResult.Status getEngineStatus() {
        return this.engineClosed ? SSLEngineResult.Status.CLOSED : SSLEngineResult.Status.OK;
    }

    @Override // javax.net.ssl.SSLEngine
    public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
        if (this.accepted == Accepted.NOT || this.destroyed) {
            return SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
        }
        if (this.handshakeFinished) {
            return this.engineClosed ? openssl_h.BIO_ctrl_pending(this.state.networkBIO) != 0 ? SSLEngineResult.HandshakeStatus.NEED_WRAP : SSLEngineResult.HandshakeStatus.NEED_UNWRAP : SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
        }
        if (this.sendHandshakeError || openssl_h.BIO_ctrl_pending(this.state.networkBIO) != 0) {
            if (this.sendHandshakeError) {
                this.sendHandshakeError = false;
                this.currentHandshake++;
            }
            return SSLEngineResult.HandshakeStatus.NEED_WRAP;
        }
        if (this.state.handshakeCount == this.currentHandshake || openssl_h.SSL_renegotiate_pending(this.state.ssl) != 0 || this.state.phaState == PHAState.START) {
            return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
        }
        if (this.alpn) {
            this.selectedProtocol = getProtocolNegotiated();
        }
        this.session.lastAccessedTime = System.currentTimeMillis();
        this.version = openssl_h.SSL_get_version(this.state.ssl).getString(0L);
        this.handshakeFinished = true;
        return SSLEngineResult.HandshakeStatus.FINISHED;
    }

    @Override // javax.net.ssl.SSLEngine
    public void setUseClientMode(boolean z) {
        if (z != this.clientMode) {
            throw new UnsupportedOperationException();
        }
    }

    @Override // javax.net.ssl.SSLEngine
    public boolean getUseClientMode() {
        return this.clientMode;
    }

    @Override // javax.net.ssl.SSLEngine
    public void setNeedClientAuth(boolean z) {
        setClientAuth(z ? ClientAuthMode.REQUIRE : ClientAuthMode.NONE);
    }

    @Override // javax.net.ssl.SSLEngine
    public boolean getNeedClientAuth() {
        return this.clientAuth == ClientAuthMode.REQUIRE;
    }

    @Override // javax.net.ssl.SSLEngine
    public void setWantClientAuth(boolean z) {
        setClientAuth(z ? ClientAuthMode.OPTIONAL : ClientAuthMode.NONE);
    }

    @Override // javax.net.ssl.SSLEngine
    public boolean getWantClientAuth() {
        return this.clientAuth == ClientAuthMode.OPTIONAL;
    }

    private void setClientAuth(ClientAuthMode clientAuthMode) {
        int SSL_VERIFY_PEER;
        int SSL_VERIFY_PEER2;
        if (this.clientMode) {
            return;
        }
        synchronized (this) {
            if (this.clientAuth == clientAuthMode) {
                return;
            }
            EngineState engineState = this.state;
            switch (clientAuthMode) {
                case NONE:
                    SSL_VERIFY_PEER = openssl_h.SSL_VERIFY_NONE();
                    break;
                case OPTIONAL:
                    if (!this.certificateVerificationOptionalNoCA) {
                        SSL_VERIFY_PEER = openssl_h.SSL_VERIFY_PEER();
                        break;
                    } else {
                        SSL_VERIFY_PEER = 3;
                        break;
                    }
                case REQUIRE:
                    SSL_VERIFY_PEER = openssl_h.SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
                    break;
                default:
                    throw new MatchException((String) null, (Throwable) null);
            }
            engineState.certificateVerifyMode = SSL_VERIFY_PEER;
            switch (clientAuthMode) {
                case NONE:
                    SSL_VERIFY_PEER2 = openssl_h.SSL_VERIFY_NONE();
                    break;
                case OPTIONAL:
                    SSL_VERIFY_PEER2 = openssl_h.SSL_VERIFY_PEER();
                    break;
                case REQUIRE:
                    SSL_VERIFY_PEER2 = openssl_h.SSL_VERIFY_PEER() | openssl_h.SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
                    break;
                default:
                    throw new MatchException((String) null, (Throwable) null);
            }
            openssl_h.SSL_set_verify(this.state.ssl, SSL_VERIFY_PEER2, SSL_set_verify$callback.allocate(new VerifyCallback(), this.engineArena));
            this.clientAuth = clientAuthMode;
        }
    }

    private static int processOCSP(MemorySegment memorySegment) {
        int X509_get_ext_by_NID;
        int V_OCSP_CERTSTATUS_UNKNOWN = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
        MemorySegment X509_STORE_CTX_get_current_cert = openssl_h.X509_STORE_CTX_get_current_cert(memorySegment);
        if (!MemorySegment.NULL.equals(X509_STORE_CTX_get_current_cert)) {
            if (openssl_h.X509_check_issued(X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get_current_cert) == openssl_h.X509_V_OK()) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment, openssl_h.X509_V_OK());
            } else {
                MemorySegment X509_STORE_CTX_get0_current_issuer = openssl_h.X509_STORE_CTX_get0_current_issuer(memorySegment);
                if (!MemorySegment.NULL.equals(X509_STORE_CTX_get0_current_issuer) && (X509_get_ext_by_NID = openssl_h.X509_get_ext_by_NID(X509_STORE_CTX_get_current_cert, openssl_h.NID_info_access(), -1)) >= 0) {
                    Arena ofConfined = Arena.ofConfined();
                    try {
                        Asn1Parser asn1Parser = new Asn1Parser(openssl_h.ASN1_STRING_get0_data(openssl_h.X509_EXTENSION_get_data(openssl_h.X509_get_ext(X509_STORE_CTX_get_current_cert, X509_get_ext_by_NID))).reinterpret(openssl_h.ASN1_STRING_length(r0), ofConfined, (Consumer) null).toArray(ValueLayout.JAVA_BYTE));
                        ArrayList arrayList = new ArrayList();
                        try {
                            parseOCSPURLs(asn1Parser, arrayList);
                        } catch (Exception e) {
                            log.error(sm.getString("engine.ocspParseError"), e);
                        }
                        if (!arrayList.isEmpty()) {
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                String str = (String) it.next();
                                try {
                                    V_OCSP_CERTSTATUS_UNKNOWN = processOCSPRequest(new URI(str).toURL(), X509_STORE_CTX_get0_current_issuer, X509_STORE_CTX_get_current_cert, memorySegment, ofConfined);
                                    if (log.isDebugEnabled()) {
                                        log.debug(sm.getString("engine.ocspResponse", str, Integer.toString(V_OCSP_CERTSTATUS_UNKNOWN)));
                                    }
                                } catch (MalformedURLException | URISyntaxException e2) {
                                    log.warn(sm.getString("engine.invalidOCSPURL", str));
                                }
                                if (V_OCSP_CERTSTATUS_UNKNOWN != openssl_h.V_OCSP_CERTSTATUS_UNKNOWN()) {
                                    break;
                                }
                            }
                        }
                        if (ofConfined != null) {
                            ofConfined.close();
                        }
                    } catch (Throwable th) {
                        if (ofConfined != null) {
                            try {
                                ofConfined.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                }
            }
        }
        return V_OCSP_CERTSTATUS_UNKNOWN;
    }

    private static void parseOCSPURLs(Asn1Parser asn1Parser, ArrayList<String> arrayList) {
        while (!asn1Parser.eof()) {
            int peekTag = asn1Parser.peekTag();
            if (peekTag == 48) {
                asn1Parser.parseTag(48);
                asn1Parser.parseFullLength();
            } else {
                if (peekTag != 6) {
                    return;
                }
                asn1Parser.parseTag(6);
                byte[] bArr = new byte[asn1Parser.parseLength()];
                asn1Parser.parseBytes(bArr);
                if (Arrays.compareUnsigned(bArr, 0, OCSP_OID.length, OCSP_OID, 0, OCSP_OID.length) == 0) {
                    asn1Parser.parseTag(134);
                    byte[] bArr2 = new byte[asn1Parser.parseLength()];
                    asn1Parser.parseBytes(bArr2);
                    arrayList.add(new String(bArr2));
                }
            }
        }
    }

    private static int processOCSPRequest(URL url, MemorySegment memorySegment, MemorySegment memorySegment2, MemorySegment memorySegment3, Arena arena) {
        ByteArrayOutputStream byteArrayOutputStream;
        MemorySegment OCSP_REQUEST_new;
        MemorySegment memorySegment4 = MemorySegment.NULL;
        MemorySegment memorySegment5 = MemorySegment.NULL;
        MemorySegment memorySegment6 = MemorySegment.NULL;
        MemorySegment memorySegment7 = MemorySegment.NULL;
        HttpURLConnection httpURLConnection = null;
        MemorySegment memorySegment8 = MemorySegment.NULL;
        MemorySegment memorySegment9 = MemorySegment.NULL;
        try {
            try {
                byteArrayOutputStream = new ByteArrayOutputStream();
                try {
                    OCSP_REQUEST_new = openssl_h.OCSP_REQUEST_new();
                } catch (Throwable th) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (MemorySegment.NULL.equals(memorySegment5)) {
                    openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
                }
                openssl_h.OCSP_CERTID_free(memorySegment9);
                openssl_h.OCSP_BASICRESP_free(memorySegment8);
                openssl_h.OCSP_RESPONSE_free(memorySegment5);
                openssl_h.OCSP_REQUEST_free(memorySegment4);
                if (0 != 0) {
                    httpURLConnection.disconnect();
                }
                throw th3;
            }
        } catch (Exception e) {
            log.warn(sm.getString("engine.ocspRequestError", url.toString()), e);
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(memorySegment4);
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
        }
        if (MemorySegment.NULL.equals(OCSP_REQUEST_new)) {
            int V_OCSP_CERTSTATUS_UNKNOWN = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN;
        }
        MemorySegment OCSP_cert_to_id = openssl_h.OCSP_cert_to_id(MemorySegment.NULL, memorySegment2, memorySegment);
        if (MemorySegment.NULL.equals(OCSP_cert_to_id)) {
            int V_OCSP_CERTSTATUS_UNKNOWN2 = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN2;
        }
        if (MemorySegment.NULL.equals(openssl_h.OCSP_request_add0_id(OCSP_REQUEST_new, OCSP_cert_to_id))) {
            int V_OCSP_CERTSTATUS_UNKNOWN3 = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN3;
        }
        MemorySegment allocateFrom = arena.allocateFrom(ValueLayout.ADDRESS, MemorySegment.NULL);
        int i2d_OCSP_REQUEST = openssl_h.i2d_OCSP_REQUEST(OCSP_REQUEST_new, allocateFrom);
        if (i2d_OCSP_REQUEST <= 0) {
            int V_OCSP_CERTSTATUS_UNKNOWN4 = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN4;
        }
        byte[] array = allocateFrom.get(ValueLayout.ADDRESS, 0L).reinterpret(i2d_OCSP_REQUEST, arena, (Consumer) null).toArray(ValueLayout.JAVA_BYTE);
        HttpURLConnection httpURLConnection2 = (HttpURLConnection) url.openConnection();
        httpURLConnection2.setRequestMethod(WebContentGenerator.METHOD_POST);
        httpURLConnection2.setDoInput(true);
        httpURLConnection2.setDoOutput(true);
        httpURLConnection2.setFixedLengthStreamingMode(i2d_OCSP_REQUEST);
        httpURLConnection2.setRequestProperty(HttpHeaders.CONTENT_TYPE, "application/ocsp-request");
        httpURLConnection2.connect();
        httpURLConnection2.getOutputStream().write(array);
        if (httpURLConnection2.getResponseCode() != 200) {
            int V_OCSP_CERTSTATUS_UNKNOWN5 = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(memorySegment5)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(memorySegment5);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (httpURLConnection2 != null) {
                httpURLConnection2.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN5;
        }
        InputStream inputStream = httpURLConnection2.getInputStream();
        byte[] bArr = new byte[1024];
        while (true) {
            int read = inputStream.read(bArr);
            if (read <= 0) {
                break;
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
        MemorySegment d2i_OCSP_RESPONSE = openssl_h.d2i_OCSP_RESPONSE(MemorySegment.NULL, arena.allocateFrom(ValueLayout.ADDRESS, arena.allocateFrom(ValueLayout.JAVA_BYTE, byteArrayOutputStream.toByteArray())), r0.length);
        if (MemorySegment.NULL.equals(d2i_OCSP_RESPONSE) || openssl_h.OCSP_response_status(d2i_OCSP_RESPONSE) != openssl_h.OCSP_RESPONSE_STATUS_SUCCESSFUL()) {
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(d2i_OCSP_RESPONSE)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(memorySegment9);
            openssl_h.OCSP_BASICRESP_free(memorySegment8);
            openssl_h.OCSP_RESPONSE_free(d2i_OCSP_RESPONSE);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (httpURLConnection2 != null) {
                httpURLConnection2.disconnect();
            }
            return openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
        }
        MemorySegment OCSP_response_get1_basic = openssl_h.OCSP_response_get1_basic(d2i_OCSP_RESPONSE);
        MemorySegment OCSP_cert_to_id2 = openssl_h.OCSP_cert_to_id(MemorySegment.NULL, memorySegment2, memorySegment);
        if (MemorySegment.NULL.equals(OCSP_cert_to_id2)) {
            int V_OCSP_CERTSTATUS_UNKNOWN6 = openssl_h.V_OCSP_CERTSTATUS_UNKNOWN();
            byteArrayOutputStream.close();
            if (MemorySegment.NULL.equals(d2i_OCSP_RESPONSE)) {
                openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
            }
            openssl_h.OCSP_CERTID_free(OCSP_cert_to_id2);
            openssl_h.OCSP_BASICRESP_free(OCSP_response_get1_basic);
            openssl_h.OCSP_RESPONSE_free(d2i_OCSP_RESPONSE);
            openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
            if (httpURLConnection2 != null) {
                httpURLConnection2.disconnect();
            }
            return V_OCSP_CERTSTATUS_UNKNOWN6;
        }
        int OCSP_single_get0_status = openssl_h.OCSP_single_get0_status(openssl_h.OCSP_resp_get0(OCSP_response_get1_basic, openssl_h.OCSP_resp_find(OCSP_response_get1_basic, OCSP_cert_to_id2, -1)), MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL);
        byteArrayOutputStream.close();
        if (MemorySegment.NULL.equals(d2i_OCSP_RESPONSE)) {
            openssl_h.X509_STORE_CTX_set_error(memorySegment3, openssl_h.X509_V_ERR_APPLICATION_VERIFICATION());
        }
        openssl_h.OCSP_CERTID_free(OCSP_cert_to_id2);
        openssl_h.OCSP_BASICRESP_free(OCSP_response_get1_basic);
        openssl_h.OCSP_RESPONSE_free(d2i_OCSP_RESPONSE);
        openssl_h.OCSP_REQUEST_free(OCSP_REQUEST_new);
        if (httpURLConnection2 != null) {
            httpURLConnection2.disconnect();
        }
        return OCSP_single_get0_status;
    }

    @Override // javax.net.ssl.SSLEngine
    public void setEnableSessionCreation(boolean z) {
        if (!z) {
            throw new UnsupportedOperationException(sm.getString("engine.noRestrictSessionCreation"));
        }
    }

    @Override // javax.net.ssl.SSLEngine
    public boolean getEnableSessionCreation() {
        return true;
    }

    static {
        LinkedHashSet linkedHashSet = new LinkedHashSet(128);
        linkedHashSet.addAll(OpenSSLLibrary.findCiphers(Tokens.T_ALL));
        AVAILABLE_CIPHER_SUITES = Collections.unmodifiableSet(linkedHashSet);
        HashSet hashSet = new HashSet();
        hashSet.add(Constants.SSL_PROTO_SSLv2Hello);
        hashSet.add(Constants.SSL_PROTO_SSLv2);
        hashSet.add(Constants.SSL_PROTO_SSLv3);
        hashSet.add(Constants.SSL_PROTO_TLSv1);
        hashSet.add(Constants.SSL_PROTO_TLSv1_1);
        hashSet.add(Constants.SSL_PROTO_TLSv1_2);
        hashSet.add(Constants.SSL_PROTO_TLSv1_3);
        IMPLEMENTED_PROTOCOLS_SET = Collections.unmodifiableSet(hashSet);
        states = new ConcurrentHashMap<>();
        OCSP_OID = new byte[]{43, 6, 1, 5, 5, 7, 48, 1};
    }
}
