package org.apache.qpid.server.transport;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.qpid.server.bytebuffer.QpidByteBuffer;
import org.apache.qpid.server.model.port.AmqpPort;
import org.apache.qpid.server.transport.NonBlockingConnectionDelegate;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/transport/NonBlockingConnectionTLSDelegate.class */
public class NonBlockingConnectionTLSDelegate implements NonBlockingConnectionDelegate {
    private static final Logger LOGGER = LoggerFactory.getLogger(NonBlockingConnectionTLSDelegate.class);
    private final SSLEngine _sslEngine;
    private final NonBlockingConnection _parent;
    private final int _networkBufferSize;
    private SSLEngineResult _status;
    private Principal _principal;
    private Certificate _peerCertificate;
    private boolean _principalChecked;
    private volatile boolean _hostChecked;
    private QpidByteBuffer _netInputBuffer;
    private QpidByteBuffer _netOutputBuffer;
    private QpidByteBuffer _applicationBuffer;
    private final boolean _ignoreInvalidSni;
    private final boolean _enableDiagnosisOfSslEngineLooping;
    private final long _diagnosisOfSslEngineLoopingWarnThreshold;
    private final long _diagnosisOfSslEngineLoopingBreakThreshold;
    private final List<QpidByteBuffer> _encryptedOutput = new ArrayList();
    private final AtomicInteger _loopingCounter = new AtomicInteger(0);

    public NonBlockingConnectionTLSDelegate(NonBlockingConnection nonBlockingConnection, AmqpPort amqpPort) {
        this._parent = nonBlockingConnection;
        this._sslEngine = createSSLEngine(amqpPort);
        this._networkBufferSize = amqpPort.getNetworkBufferSize();
        int packetBufferSize = this._sslEngine.getSession().getPacketBufferSize();
        if (packetBufferSize > this._networkBufferSize) {
            throw new ServerScopedRuntimeException("TLS implementation packet buffer size (" + packetBufferSize + ") is greater then broker network buffer size (" + this._networkBufferSize + ")");
        }
        this._netInputBuffer = QpidByteBuffer.allocateDirect(this._networkBufferSize);
        this._applicationBuffer = QpidByteBuffer.allocateDirect(this._networkBufferSize);
        this._netOutputBuffer = QpidByteBuffer.allocateDirect(this._networkBufferSize);
        this._ignoreInvalidSni = amqpPort.isIgnoreInvalidSni();
        this._enableDiagnosisOfSslEngineLooping = ((Boolean) amqpPort.getContextValue(Boolean.class, AmqpPort.PORT_DIAGNOSIS_OF_SSL_ENGINE_LOOPING)).booleanValue();
        this._diagnosisOfSslEngineLoopingWarnThreshold = ((Integer) amqpPort.getContextValue(Integer.class, AmqpPort.PORT_DIAGNOSIS_OF_SSL_ENGINE_LOOPING_WARN_THRESHOLD)).intValue();
        this._diagnosisOfSslEngineLoopingBreakThreshold = ((Integer) amqpPort.getContextValue(Integer.class, AmqpPort.PORT_DIAGNOSIS_OF_SSL_ENGINE_LOOPING_BREAK_THRESHOLD)).intValue();
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public boolean readyForRead() {
        return this._sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_WRAP;
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public boolean processData() throws IOException {
        if (!this._hostChecked) {
            QpidByteBuffer duplicate = this._netInputBuffer.duplicate();
            try {
                duplicate.flip();
                if (!SSLUtil.isSufficientToDetermineClientSNIHost(duplicate)) {
                    if (duplicate != null) {
                        duplicate.close();
                    }
                    return false;
                }
                SNIHostName sNIHostName = getSNIHostName(duplicate);
                if (sNIHostName != null) {
                    this._parent.setSelectedHost(sNIHostName.getAsciiName());
                    SSLParameters sSLParameters = this._sslEngine.getSSLParameters();
                    sSLParameters.setServerNames(Collections.singletonList(sNIHostName));
                    this._sslEngine.setSSLParameters(sSLParameters);
                }
                this._hostChecked = true;
                if (duplicate != null) {
                    duplicate.close();
                }
            } catch (Throwable th) {
                if (duplicate != null) {
                    try {
                        duplicate.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        this._netInputBuffer.flip();
        boolean z = false;
        while (true) {
            int position = this._applicationBuffer.position();
            int position2 = this._netInputBuffer.position();
            this._status = QpidByteBuffer.decryptSSL(this._sslEngine, this._netInputBuffer, this._applicationBuffer);
            if (this._status.getStatus() == SSLEngineResult.Status.CLOSED) {
                int remaining = this._netInputBuffer.remaining();
                this._netInputBuffer.position(this._netInputBuffer.limit());
                LOGGER.debug("SSLEngine closed, discarded {} byte(s)", Integer.valueOf(remaining));
            }
            boolean runSSLEngineTasks = runSSLEngineTasks(this._status);
            this._applicationBuffer.flip();
            if (this._applicationBuffer.position() > position) {
                z = true;
            }
            this._parent.processAmqpData(this._applicationBuffer);
            restoreApplicationBufferForWrite();
            if (!this._netInputBuffer.hasRemaining() || this._netInputBuffer.position() <= position2) {
                if (!runSSLEngineTasks) {
                    break;
                }
            }
        }
        if (this._netInputBuffer.hasRemaining()) {
            this._netInputBuffer.compact();
        } else {
            this._netInputBuffer.clear();
        }
        return z;
    }

    private SNIHostName getSNIHostName(QpidByteBuffer qpidByteBuffer) {
        try {
            String serverNameFromTLSClientHello = SSLUtil.getServerNameFromTLSClientHello(qpidByteBuffer);
            if (serverNameFromTLSClientHello != null) {
                return SSLUtil.createSNIHostName(serverNameFromTLSClientHello);
            }
            return null;
        } catch (ConnectionScopedRuntimeException e) {
            if (this._ignoreInvalidSni) {
                return null;
            }
            throw e;
        }
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public NonBlockingConnectionDelegate.WriteResult doWrite(Collection<QpidByteBuffer> collection) throws IOException {
        int size = collection.size();
        int wrapBufferArray = wrapBufferArray(collection);
        boolean z = true;
        Iterator<QpidByteBuffer> it = collection.iterator();
        int i = 0;
        while (it.hasNext() && z) {
            int i2 = i;
            i++;
            if (i2 >= size) {
                break;
            }
            z = !it.next().hasRemaining();
        }
        if (!this._encryptedOutput.isEmpty()) {
            this._parent.writeToTransport(this._encryptedOutput);
            ListIterator<QpidByteBuffer> listIterator = this._encryptedOutput.listIterator();
            while (listIterator.hasNext()) {
                QpidByteBuffer next = listIterator.next();
                if (next.hasRemaining()) {
                    break;
                }
                next.dispose();
                listIterator.remove();
            }
        }
        return new NonBlockingConnectionDelegate.WriteResult(z && this._encryptedOutput.isEmpty(), wrapBufferArray);
    }

    protected void restoreApplicationBufferForWrite() {
        int capacity;
        QpidByteBuffer qpidByteBuffer = this._applicationBuffer;
        try {
            int remaining = this._applicationBuffer.remaining();
            this._applicationBuffer.limit(this._applicationBuffer.capacity());
            this._applicationBuffer = this._applicationBuffer.slice();
            this._applicationBuffer.limit(remaining);
            if (qpidByteBuffer != null) {
                qpidByteBuffer.close();
            }
            if (this._applicationBuffer.limit() <= this._applicationBuffer.capacity() - this._sslEngine.getSession().getApplicationBufferSize()) {
                this._applicationBuffer.position(this._applicationBuffer.limit());
                this._applicationBuffer.limit(this._applicationBuffer.capacity());
                return;
            }
            qpidByteBuffer = this._applicationBuffer;
            try {
                if (qpidByteBuffer.capacity() < this._networkBufferSize) {
                    capacity = this._networkBufferSize;
                } else {
                    capacity = qpidByteBuffer.capacity() + this._networkBufferSize;
                    this._parent.reportUnexpectedByteBufferSizeUsage();
                }
                this._applicationBuffer = QpidByteBuffer.allocateDirect(capacity);
                this._applicationBuffer.put(qpidByteBuffer);
                if (qpidByteBuffer != null) {
                    qpidByteBuffer.close();
                }
            } finally {
            }
        } finally {
        }
    }

    private int wrapBufferArray(Collection<QpidByteBuffer> collection) throws SSLException {
        boolean z;
        int i = 0;
        do {
            if (this._sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                if (this._netOutputBuffer.remaining() < this._sslEngine.getSession().getPacketBufferSize()) {
                    if (this._netOutputBuffer.position() != 0) {
                        this._netOutputBuffer.flip();
                        this._encryptedOutput.add(this._netOutputBuffer);
                    } else {
                        this._netOutputBuffer.dispose();
                    }
                    this._netOutputBuffer = QpidByteBuffer.allocateDirect(this._networkBufferSize);
                }
                this._status = QpidByteBuffer.encryptSSL(this._sslEngine, collection, this._netOutputBuffer);
                if (this._status.getStatus() == SSLEngineResult.Status.CLOSED) {
                    throw new SSLException(String.format("SSLEngine.wrap operation could not be completed because it was already closed (status %s, handshake status %s)", this._status.getStatus(), this._status.getHandshakeStatus()));
                }
                if (this._status.bytesProduced() < 1 && this._status.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && !this._sslEngine.isOutboundDone() && this._sslEngine.isInboundDone()) {
                    throw new SSLException(String.format("SSLEngine.wrap produced 0 bytes (status %s, handshake status %s)", this._status.getStatus(), this._status.getHandshakeStatus()));
                }
                z = this._status.bytesProduced() > 0;
                i += this._status.bytesConsumed();
                runSSLEngineTasks(this._status);
                if (z && this._netOutputBuffer.remaining() < this._sslEngine.getSession().getPacketBufferSize()) {
                    this._netOutputBuffer.flip();
                    this._encryptedOutput.add(this._netOutputBuffer);
                    this._netOutputBuffer = QpidByteBuffer.allocateDirect(this._networkBufferSize);
                }
                if (this._enableDiagnosisOfSslEngineLooping) {
                    this._loopingCounter.incrementAndGet();
                    if (this._loopingCounter.get() > this._diagnosisOfSslEngineLoopingWarnThreshold) {
                        LOGGER.warn("SSLEngine looping detected, _status: {}, _sslEngine.isOutboundDone(): {}, _sslEngine.isInboundDone(): {}, _sslEngine.getPeerHost(): {}, _sslEngine.getPeerPort(): {}", new Object[]{"[ Status = " + this._status.getStatus() + ", HandshakeStatus = " + this._status.getHandshakeStatus() + ", bytesConsumed = " + this._status.bytesConsumed() + ", bytesProduced = " + this._status.bytesProduced() + " ]", Boolean.valueOf(this._sslEngine.isOutboundDone()), Boolean.valueOf(this._sslEngine.isInboundDone()), this._sslEngine.getPeerHost(), Integer.valueOf(this._sslEngine.getPeerPort())});
                    }
                    if (this._loopingCounter.get() > this._diagnosisOfSslEngineLoopingBreakThreshold) {
                        throw new SSLException("SSLEngine looping detected, executing circuit breaker");
                    }
                }
            } else {
                z = false;
            }
            if (!z) {
                break;
            }
        } while (this._sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_UNWRAP);
        if (this._enableDiagnosisOfSslEngineLooping && z) {
            this._loopingCounter.set(0);
        }
        if (this._netOutputBuffer.position() != 0) {
            QpidByteBuffer qpidByteBuffer = this._netOutputBuffer;
            this._netOutputBuffer = this._netOutputBuffer.slice();
            qpidByteBuffer.flip();
            this._encryptedOutput.add(qpidByteBuffer);
        }
        return i;
    }

    private boolean runSSLEngineTasks(SSLEngineResult sSLEngineResult) {
        if (sSLEngineResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_TASK) {
            return false;
        }
        while (true) {
            Runnable delegatedTask = this._sslEngine.getDelegatedTask();
            if (delegatedTask == null) {
                return true;
            }
            delegatedTask.run();
        }
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public Principal getPeerPrincipal() {
        checkPeerPrincipal();
        return this._principal;
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public Certificate getPeerCertificate() {
        checkPeerPrincipal();
        return this._peerCertificate;
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public boolean needsWork() {
        return this._sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
    }

    private synchronized void checkPeerPrincipal() {
        if (this._principalChecked) {
            return;
        }
        try {
            this._principal = this._sslEngine.getSession().getPeerPrincipal();
            Certificate[] peerCertificates = this._sslEngine.getSession().getPeerCertificates();
            if (peerCertificates != null && peerCertificates.length > 0) {
                this._peerCertificate = peerCertificates[0];
            }
        } catch (SSLPeerUnverifiedException e) {
            this._principal = null;
            this._peerCertificate = null;
        }
        this._principalChecked = true;
    }

    private SSLEngine createSSLEngine(AmqpPort<?> amqpPort) {
        SSLEngine createSSLEngine = amqpPort.getSSLContext().createSSLEngine();
        createSSLEngine.setUseClientMode(false);
        SSLUtil.updateEnabledTlsProtocols(createSSLEngine, amqpPort.getTlsProtocolAllowList(), amqpPort.getTlsProtocolDenyList());
        SSLUtil.updateEnabledCipherSuites(createSSLEngine, amqpPort.getTlsCipherSuiteAllowList(), amqpPort.getTlsCipherSuiteDenyList());
        if (amqpPort.getTlsCipherSuiteAllowList() != null && !amqpPort.getTlsCipherSuiteAllowList().isEmpty()) {
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setUseCipherSuitesOrder(true);
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        if (amqpPort.getNeedClientAuth()) {
            createSSLEngine.setNeedClientAuth(true);
        } else if (amqpPort.getWantClientAuth()) {
            createSSLEngine.setWantClientAuth(true);
        }
        return createSSLEngine;
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public QpidByteBuffer getNetInputBuffer() {
        return this._netInputBuffer;
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public void shutdownInput() {
        if (this._netInputBuffer != null) {
            this._netInputBuffer.dispose();
            this._netInputBuffer = null;
        }
        if (this._applicationBuffer != null) {
            this._applicationBuffer.dispose();
            this._applicationBuffer = null;
        }
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public void shutdownOutput() {
        if (this._netOutputBuffer != null) {
            this._netOutputBuffer.dispose();
            this._netOutputBuffer = null;
        }
        try {
            this._sslEngine.closeOutbound();
            this._sslEngine.closeInbound();
        } catch (SSLException e) {
            LOGGER.debug("Exception when closing SSLEngine", e);
        }
    }

    @Override // org.apache.qpid.server.transport.NonBlockingConnectionDelegate
    public String getTransportInfo() {
        SSLSession session = this._sslEngine.getSession();
        return session.getProtocol() + " ; " + session.getCipherSuite();
    }
}
