package org.apache.tomcat.util.net.openssl.panama;

import com.mysql.cj.exceptions.MysqlErrorNumbers;
import java.lang.foreign.Arena;
import java.lang.foreign.MemorySegment;
import java.lang.foreign.ValueLayout;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.openssl.openssl_h;
import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
import org.apache.tomcat.util.res.StringManager;
import org.springframework.beans.propertyeditors.CustomBooleanEditor;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.26.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary.class */
public class OpenSSLLibrary {
    private static final int FIPS_ON = 1;
    private static final int FIPS_OFF = 0;
    private static final int OPENSSL_ERROR_MESSAGE_BUFFER_SIZE = 256;
    private static final Log log = LogFactory.getLog((Class<?>) OpenSSLLibrary.class);
    protected static final StringManager sm = StringManager.getManager((Class<?>) OpenSSLLibrary.class);
    protected static String SSLEngine = CustomBooleanEditor.VALUE_ON;
    protected static String FIPSMode = CustomBooleanEditor.VALUE_OFF;
    protected static String SSLRandomSeed = "builtin";
    protected static boolean fipsModeActive = false;
    protected static final Object lock = new Object();
    private static int referenceCount = 0;
    static MemorySegment enginePointer = MemorySegment.NULL;
    static final DHParam[] dhParameters = new DHParam[6];

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-10.1.26.jar:org/apache/tomcat/util/net/openssl/panama/OpenSSLLibrary$DHParam.class */
    public static final class DHParam {
        final MemorySegment dh;
        final int min;

        private DHParam(MemorySegment memorySegment, int i) {
            this.dh = memorySegment;
            this.min = i;
        }
    }

    static void initLibrary() {
        synchronized (lock) {
            if (OpenSSLStatus.isLibraryInitialized()) {
                return;
            }
            openssl_h.OPENSSL_init_ssl(openssl_h.OpenSSL_version_num() >= 805306383 ? 0L : openssl_h.OPENSSL_INIT_ENGINE_ALL_BUILTIN(), MemorySegment.NULL);
            OpenSSLStatus.setLibraryInitialized(true);
        }
    }

    private static void initDHParameters() {
        MemorySegment DH_new = openssl_h.DH_new();
        MemorySegment BN_get_rfc3526_prime_8192 = openssl_h.BN_get_rfc3526_prime_8192(MemorySegment.NULL);
        MemorySegment BN_new = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new, 2L);
        openssl_h.DH_set0_pqg(DH_new, BN_get_rfc3526_prime_8192, MemorySegment.NULL, BN_new);
        dhParameters[0] = new DHParam(DH_new, 6145);
        MemorySegment DH_new2 = openssl_h.DH_new();
        MemorySegment BN_get_rfc3526_prime_6144 = openssl_h.BN_get_rfc3526_prime_6144(MemorySegment.NULL);
        MemorySegment BN_new2 = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new2, 2L);
        openssl_h.DH_set0_pqg(DH_new2, BN_get_rfc3526_prime_6144, MemorySegment.NULL, BN_new2);
        dhParameters[1] = new DHParam(DH_new2, 4097);
        MemorySegment DH_new3 = openssl_h.DH_new();
        MemorySegment BN_get_rfc3526_prime_4096 = openssl_h.BN_get_rfc3526_prime_4096(MemorySegment.NULL);
        MemorySegment BN_new3 = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new3, 2L);
        openssl_h.DH_set0_pqg(DH_new3, BN_get_rfc3526_prime_4096, MemorySegment.NULL, BN_new3);
        dhParameters[2] = new DHParam(DH_new3, 3073);
        MemorySegment DH_new4 = openssl_h.DH_new();
        MemorySegment BN_get_rfc3526_prime_3072 = openssl_h.BN_get_rfc3526_prime_3072(MemorySegment.NULL);
        MemorySegment BN_new4 = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new4, 2L);
        openssl_h.DH_set0_pqg(DH_new4, BN_get_rfc3526_prime_3072, MemorySegment.NULL, BN_new4);
        dhParameters[3] = new DHParam(DH_new4, 2049);
        MemorySegment DH_new5 = openssl_h.DH_new();
        MemorySegment BN_get_rfc3526_prime_2048 = openssl_h.BN_get_rfc3526_prime_2048(MemorySegment.NULL);
        MemorySegment BN_new5 = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new5, 2L);
        openssl_h.DH_set0_pqg(DH_new5, BN_get_rfc3526_prime_2048, MemorySegment.NULL, BN_new5);
        dhParameters[4] = new DHParam(DH_new5, MysqlErrorNumbers.ER_ERROR_ON_RENAME);
        MemorySegment DH_new6 = openssl_h.DH_new();
        MemorySegment BN_get_rfc2409_prime_1024 = openssl_h.BN_get_rfc2409_prime_1024(MemorySegment.NULL);
        MemorySegment BN_new6 = openssl_h.BN_new();
        openssl_h.BN_set_word(BN_new6, 2L);
        openssl_h.DH_set0_pqg(DH_new6, BN_get_rfc2409_prime_1024, MemorySegment.NULL, BN_new6);
        dhParameters[5] = new DHParam(DH_new6, 0);
    }

    private static void freeDHParameters() {
        MemorySegment memorySegment;
        for (int i = 0; i < dhParameters.length; i++) {
            if (dhParameters[i] != null && (memorySegment = dhParameters[i].dh) != null && !MemorySegment.NULL.equals(memorySegment)) {
                openssl_h.DH_free(memorySegment);
                dhParameters[i] = null;
            }
        }
    }

    public static void init() {
        boolean z;
        synchronized (lock) {
            int i = referenceCount;
            referenceCount = i + 1;
            if (i != 0) {
                return;
            }
            if (OpenSSLStatus.isInitialized()) {
                return;
            }
            OpenSSLStatus.setInitialized(true);
            if (CustomBooleanEditor.VALUE_OFF.equalsIgnoreCase(SSLEngine)) {
                return;
            }
            Arena ofConfined = Arena.ofConfined();
            try {
                initLibrary();
                OpenSSLStatus.setVersion(openssl_h.OpenSSL_version_num());
                String str = CustomBooleanEditor.VALUE_ON.equalsIgnoreCase(SSLEngine) ? null : SSLEngine;
                if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL && str != null) {
                    if ("auto".equals(str)) {
                        openssl_h.ENGINE_register_all_complete();
                    } else {
                        MemorySegment allocateFrom = ofConfined.allocateFrom(str);
                        enginePointer = openssl_h.ENGINE_by_id(allocateFrom);
                        if (MemorySegment.NULL.equals(enginePointer)) {
                            enginePointer = openssl_h.ENGINE_by_id(ofConfined.allocateFrom("dynamic"));
                            if (enginePointer != null && (openssl_h.ENGINE_ctrl_cmd_string(enginePointer, ofConfined.allocateFrom("SO_PATH"), allocateFrom, 0) == 0 || openssl_h.ENGINE_ctrl_cmd_string(enginePointer, ofConfined.allocateFrom("LOAD"), MemorySegment.NULL, 0) == 0)) {
                                openssl_h.ENGINE_free(enginePointer);
                                enginePointer = MemorySegment.NULL;
                            }
                        }
                        if (!MemorySegment.NULL.equals(enginePointer) && openssl_h.ENGINE_set_default(enginePointer, openssl_h.ENGINE_METHOD_ALL()) == 0) {
                            openssl_h.ENGINE_free(enginePointer);
                            enginePointer = MemorySegment.NULL;
                        }
                        if (MemorySegment.NULL.equals(enginePointer)) {
                            throw new IllegalStateException(sm.getString("openssllibrary.engineError"));
                        }
                    }
                }
                boolean z2 = false;
                if (SSLRandomSeed != null && SSLRandomSeed.length() != 0 && !"builtin".equals(SSLRandomSeed)) {
                    z2 = openssl_h.RAND_load_file(ofConfined.allocateFrom(SSLRandomSeed), 128L) > 0;
                    if (!z2) {
                        log.warn(sm.getString("openssllibrary.errorSettingSSLRandomSeed", SSLRandomSeed, getLastError()));
                    }
                }
                if (!z2) {
                    openssl_h.RAND_seed(ofConfined.allocateFrom(ValueLayout.JAVA_BYTE, new SecureRandom().generateSeed(128)), 128);
                }
                if (!openssl_h_Compatibility.OPENSSL3 && !openssl_h_Compatibility.BORINGSSL) {
                    initDHParameters();
                }
                if (openssl_h_Compatibility.OPENSSL3 || (null != FIPSMode && !CustomBooleanEditor.VALUE_OFF.equalsIgnoreCase(FIPSMode))) {
                    fipsModeActive = false;
                    int i2 = 0;
                    if (openssl_h_Compatibility.OPENSSL3) {
                        MemorySegment EVP_MD_fetch = openssl_h.EVP_MD_fetch(MemorySegment.NULL, ofConfined.allocateFrom("SHA-512"), MemorySegment.NULL);
                        String string = openssl_h.OSSL_PROVIDER_get0_name(openssl_h.EVP_MD_get0_provider(EVP_MD_fetch)).getString(0L);
                        openssl_h.EVP_MD_free(EVP_MD_fetch);
                        if ("fips".equals(string)) {
                            i2 = 1;
                        }
                    } else {
                        i2 = openssl_h_Compatibility.FIPS_mode();
                    }
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("openssllibrary.currentFIPSMode", Integer.valueOf(i2)));
                    }
                    if (null == FIPSMode || CustomBooleanEditor.VALUE_OFF.equalsIgnoreCase(FIPSMode)) {
                        if (i2 == 1) {
                            fipsModeActive = true;
                        }
                        z = false;
                    } else if (CustomBooleanEditor.VALUE_ON.equalsIgnoreCase(FIPSMode)) {
                        if (i2 == 1) {
                            if (!openssl_h_Compatibility.OPENSSL3) {
                                log.info(sm.getString("openssllibrary.skipFIPSInitialization"));
                            }
                            fipsModeActive = true;
                            z = false;
                        } else {
                            if (openssl_h_Compatibility.OPENSSL3) {
                                throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
                            }
                            z = true;
                        }
                    } else if ("require".equalsIgnoreCase(FIPSMode)) {
                        if (i2 != 1) {
                            if (!openssl_h_Compatibility.OPENSSL3) {
                                throw new IllegalStateException(sm.getString("openssllibrary.requireNotInFIPSMode"));
                            }
                            throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
                        }
                        fipsModeActive = true;
                        z = false;
                    } else {
                        if (!"enter".equalsIgnoreCase(FIPSMode)) {
                            throw new IllegalArgumentException(sm.getString("openssllibrary.wrongFIPSMode", FIPSMode));
                        }
                        if (i2 == 0) {
                            if (openssl_h_Compatibility.OPENSSL3) {
                                throw new IllegalStateException(sm.getString("openssllibrary.FIPSProviderNotDefault", FIPSMode));
                            }
                            z = true;
                        } else {
                            if (!openssl_h_Compatibility.OPENSSL3) {
                                throw new IllegalStateException(sm.getString("openssllibrary.enterAlreadyInFIPSMode", Integer.valueOf(i2)));
                            }
                            fipsModeActive = true;
                            z = false;
                        }
                    }
                    if (z) {
                        log.info(sm.getString("openssllibrary.initializingFIPS"));
                        if (openssl_h_Compatibility.FIPS_mode_set(1) != 1) {
                            String string2 = sm.getString("openssllibrary.initializeFIPSFailed");
                            log.error(string2);
                            throw new IllegalStateException(string2);
                        }
                        fipsModeActive = true;
                        log.info(sm.getString("openssllibrary.initializeFIPSSuccess"));
                    }
                    if (openssl_h_Compatibility.OPENSSL3 && fipsModeActive) {
                        log.info(sm.getString("aprListener.usingFIPSProvider"));
                    }
                }
                log.info(sm.getString("openssllibrary.initializedOpenSSL", openssl_h.OpenSSL_version(0).getString(0L)));
                OpenSSLStatus.setAvailable(true);
                if (ofConfined != null) {
                    ofConfined.close();
                }
            } finally {
            }
        }
    }

    public static void destroy() {
        synchronized (lock) {
            if (OpenSSLStatus.isInitialized()) {
                int i = referenceCount - 1;
                referenceCount = i;
                if (i != 0) {
                    return;
                }
                OpenSSLStatus.setAvailable(false);
                try {
                    if (openssl_h.OpenSSL_version_num() < 805306383) {
                        freeDHParameters();
                        if (!MemorySegment.NULL.equals(enginePointer)) {
                            openssl_h.ENGINE_free(enginePointer);
                            enginePointer = MemorySegment.NULL;
                        }
                        openssl_h_Compatibility.FIPS_mode_set(0);
                    }
                    OpenSSLStatus.setInitialized(false);
                    fipsModeActive = false;
                } catch (Throwable th) {
                    OpenSSLStatus.setInitialized(false);
                    fipsModeActive = false;
                    throw th;
                }
            }
        }
    }

    public static String getSSLEngine() {
        return SSLEngine;
    }

    public static void setSSLEngine(String str) {
        if (str.equals(SSLEngine)) {
            return;
        }
        if (OpenSSLStatus.isInitialized()) {
            throw new IllegalStateException(sm.getString("openssllibrary.tooLateForSSLEngine"));
        }
        SSLEngine = str;
    }

    public static String getSSLRandomSeed() {
        return SSLRandomSeed;
    }

    public static void setSSLRandomSeed(String str) {
        if (str.equals(SSLRandomSeed)) {
            return;
        }
        if (OpenSSLStatus.isInitialized()) {
            throw new IllegalStateException(sm.getString("openssllibrary.tooLateForSSLRandomSeed"));
        }
        SSLRandomSeed = str;
    }

    public static String getFIPSMode() {
        return FIPSMode;
    }

    public static void setFIPSMode(String str) {
        if (str.equals(FIPSMode)) {
            return;
        }
        if (OpenSSLStatus.isInitialized()) {
            throw new IllegalStateException(sm.getString("openssllibrary.tooLateForFIPSMode"));
        }
        FIPSMode = str;
    }

    public static boolean isFIPSModeActive() {
        return fipsModeActive;
    }

    /* JADX WARN: Finally extract failed */
    public static List<String> findCiphers(String str) {
        ArrayList arrayList = new ArrayList();
        try {
            Arena ofConfined = Arena.ofConfined();
            try {
                initLibrary();
                MemorySegment SSL_CTX_new = openssl_h.SSL_CTX_new(openssl_h.TLS_server_method());
                try {
                    openssl_h_Compatibility.SSL_CTX_set_options(SSL_CTX_new, openssl_h.SSL_OP_ALL());
                    openssl_h.SSL_CTX_set_cipher_list(SSL_CTX_new, ofConfined.allocateFrom(str));
                    MemorySegment SSL_new = openssl_h.SSL_new(SSL_CTX_new);
                    openssl_h.SSL_set_accept_state(SSL_new);
                    try {
                        for (String str2 : getCiphers(SSL_new)) {
                            if (str2 != null && str2.length() != 0 && !arrayList.contains(str2)) {
                                arrayList.add(OpenSSLCipherConfigurationParser.openSSLToJsse(str2));
                            }
                        }
                        openssl_h.SSL_free(SSL_new);
                        openssl_h.SSL_CTX_free(SSL_CTX_new);
                        if (ofConfined != null) {
                            ofConfined.close();
                        }
                    } catch (Throwable th) {
                        openssl_h.SSL_free(SSL_new);
                        throw th;
                    }
                } catch (Throwable th2) {
                    openssl_h.SSL_CTX_free(SSL_CTX_new);
                    throw th2;
                }
            } finally {
            }
        } catch (Exception e) {
            log.warn(sm.getString("openssllibrary.ciphersFailure"), e);
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String[] getCiphers(MemorySegment memorySegment) {
        MemorySegment SSL_get_ciphers = openssl_h.SSL_get_ciphers(memorySegment);
        int OPENSSL_sk_num = openssl_h_Compatibility.OPENSSL_sk_num(SSL_get_ciphers);
        if (OPENSSL_sk_num <= 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList(OPENSSL_sk_num);
        for (int i = 0; i < OPENSSL_sk_num; i++) {
            arrayList.add(openssl_h.SSL_CIPHER_get_name(openssl_h_Compatibility.OPENSSL_sk_value(SSL_get_ciphers, i)).getString(0L));
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v1 */
    /* JADX WARN: Type inference failed for: r2v2 */
    /* JADX WARN: Type inference failed for: r2v4 */
    public static String getLastError() {
        long ERR_get_error;
        String str = null;
        long ERR_get_error2 = openssl_h.ERR_get_error();
        if (ERR_get_error2 != openssl_h.SSL_ERROR_NONE()) {
            Arena ofConfined = Arena.ofConfined();
            do {
                try {
                    MemorySegment allocate = ofConfined.allocate(ValueLayout.JAVA_BYTE, 256L);
                    ?? r2 = 256;
                    openssl_h.ERR_error_string_n(ERR_get_error2, allocate, 256);
                    String string = allocate.getString(0L);
                    if (str == null) {
                        str = string;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("engine.openSSLError", Long.toString(ERR_get_error2), string));
                        r2 = "engine.openSSLError";
                    }
                    ERR_get_error = openssl_h.ERR_get_error();
                    ERR_get_error2 = ERR_get_error;
                } catch (Throwable th) {
                    if (ofConfined != null) {
                        try {
                            ofConfined.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } while (ERR_get_error != openssl_h.SSL_ERROR_NONE());
            if (ofConfined != null) {
                ofConfined.close();
            }
        }
        return str;
    }
}
