package com.trilead.ssh2.transport;

import com.trilead.ssh2.ConnectionInfo;
import com.trilead.ssh2.DHGexParameters;
import com.trilead.ssh2.ServerHostKeyVerifier;
import com.trilead.ssh2.crypto.CryptoWishList;
import com.trilead.ssh2.crypto.KeyMaterial;
import com.trilead.ssh2.crypto.cipher.BlockCipherFactory;
import com.trilead.ssh2.crypto.dh.DhExchange;
import com.trilead.ssh2.crypto.dh.DhGroupExchange;
import com.trilead.ssh2.crypto.digest.MessageMac;
import com.trilead.ssh2.log.Logger;
import com.trilead.ssh2.packets.PacketKexDHInit;
import com.trilead.ssh2.packets.PacketKexDHReply;
import com.trilead.ssh2.packets.PacketKexDhGexGroup;
import com.trilead.ssh2.packets.PacketKexDhGexInit;
import com.trilead.ssh2.packets.PacketKexDhGexReply;
import com.trilead.ssh2.packets.PacketKexDhGexRequest;
import com.trilead.ssh2.packets.PacketKexDhGexRequestOld;
import com.trilead.ssh2.packets.PacketKexInit;
import com.trilead.ssh2.packets.PacketNewKeys;
import com.trilead.ssh2.signature.KeyAlgorithm;
import com.trilead.ssh2.signature.KeyAlgorithmManager;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;

/* loaded from: classes2.dex */
public class KexManager implements MessageHandler {
    ClientServerHello csh;
    final String hostname;
    KeyMaterial km;
    KexState kxs;
    CryptoWishList nextKEXcryptoWishList;
    final int port;
    final SecureRandom rnd;
    byte[] sessionId;
    final TransportManager tm;
    ServerHostKeyVerifier verifier;
    private static final Logger log = Logger.getLogger(KexManager.class);
    private static final List<String> DEFAULT_KEY_ALGORITHMS = buildDefaultKeyAlgorithms();
    int kexCount = 0;
    final Object accessLock = new Object();
    ConnectionInfo lastConnInfo = null;
    boolean connectionClosed = false;
    boolean ignore_next_kex_packet = false;
    DHGexParameters nextKEXdhgexParameters = new DHGexParameters();

    public KexManager(TransportManager transportManager, ClientServerHello clientServerHello, CryptoWishList cryptoWishList, String str, int i, ServerHostKeyVerifier serverHostKeyVerifier, SecureRandom secureRandom) {
        this.tm = transportManager;
        this.csh = clientServerHello;
        this.nextKEXcryptoWishList = cryptoWishList;
        this.hostname = str;
        this.port = i;
        this.verifier = serverHostKeyVerifier;
        this.rnd = secureRandom;
    }

    private static List<String> buildDefaultKeyAlgorithms() {
        ArrayList arrayList = new ArrayList();
        Iterator<KeyAlgorithm<PublicKey, PrivateKey>> it = KeyAlgorithmManager.getSupportedAlgorithms().iterator();
        while (it.hasNext()) {
            arrayList.add(arrayList.size(), it.next().getKeyFormat());
        }
        return arrayList;
    }

    public static void checkKexAlgorithmList(String[] strArr) {
        for (String str : strArr) {
            if (!"diffie-hellman-group-exchange-sha1".equals(str) && !"diffie-hellman-group14-sha1".equals(str) && !"diffie-hellman-group1-sha1".equals(str) && !"diffie-hellman-group-exchange-sha256".equals(str)) {
                throw new IllegalArgumentException("Unknown kex algorithm '" + str + "'");
            }
        }
    }

    public static void checkServerHostkeyAlgorithmsList(String[] strArr) {
        boolean z;
        for (String str : strArr) {
            Iterator<KeyAlgorithm<PublicKey, PrivateKey>> it = KeyAlgorithmManager.getSupportedAlgorithms().iterator();
            while (true) {
                if (it.hasNext()) {
                    if (it.next().getKeyFormat().equals(str)) {
                        z = true;
                        break;
                    }
                } else {
                    z = false;
                    break;
                }
            }
            if (!z) {
                throw new IllegalArgumentException("Unknown server host key algorithm '" + str + "'");
            }
        }
    }

    private boolean compareFirstOfNameList(String[] strArr, String[] strArr2) {
        if (strArr == null || strArr2 == null) {
            throw new IllegalArgumentException();
        }
        if (strArr.length == 0 && strArr2.length == 0) {
            return true;
        }
        if (strArr.length == 0 || strArr2.length == 0) {
            return false;
        }
        return strArr[0].equals(strArr2[0]);
    }

    private boolean establishKeyMaterial() {
        try {
            int keyLength = MessageMac.getKeyLength(this.kxs.np.mac_algo_client_to_server);
            int keySize = BlockCipherFactory.getKeySize(this.kxs.np.enc_algo_client_to_server);
            int blockSize = BlockCipherFactory.getBlockSize(this.kxs.np.enc_algo_client_to_server);
            int keyLength2 = MessageMac.getKeyLength(this.kxs.np.mac_algo_server_to_client);
            this.km = KeyMaterial.create(this.kxs.getHashAlgorithm(), this.kxs.H, this.kxs.K, this.sessionId, keySize, blockSize, keyLength, BlockCipherFactory.getKeySize(this.kxs.np.enc_algo_server_to_client), BlockCipherFactory.getBlockSize(this.kxs.np.enc_algo_server_to_client), keyLength2);
            return true;
        } catch (IllegalArgumentException unused) {
            return false;
        }
    }

    private void finishKex() throws IOException {
        if (this.sessionId == null) {
            this.sessionId = this.kxs.H;
        }
        establishKeyMaterial();
        this.tm.sendKexMessage(new PacketNewKeys().getPayload());
        try {
            this.tm.changeSendCipher(BlockCipherFactory.createCipher(this.kxs.np.enc_algo_client_to_server, true, this.km.enc_key_client_to_server, this.km.initial_iv_client_to_server), new MessageMac(this.kxs.np.mac_algo_client_to_server, this.km.integrity_key_client_to_server));
            this.tm.kexFinished();
        } catch (IllegalArgumentException unused) {
            throw new IOException("Fatal error during MAC startup!");
        }
    }

    public static String[] getDefaultKexAlgorithmList() {
        return new String[]{"diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"};
    }

    public static String[] getDefaultServerHostkeyAlgorithmList() {
        List<String> list = DEFAULT_KEY_ALGORITHMS;
        return (String[]) list.toArray(new String[list.size()]);
    }

    private String getFirstMatch(String[] strArr, String[] strArr2) throws NegotiateException {
        if (strArr == null || strArr2 == null) {
            throw new IllegalArgumentException();
        }
        if (strArr.length == 0) {
            return null;
        }
        for (String str : strArr) {
            for (String str2 : strArr2) {
                if (str.equals(str2)) {
                    return str;
                }
            }
        }
        throw new NegotiateException();
    }

    private boolean isGuessOK(KexParameters kexParameters, KexParameters kexParameters2) {
        if (kexParameters == null || kexParameters2 == null) {
            throw new IllegalArgumentException();
        }
        return compareFirstOfNameList(kexParameters.kex_algorithms, kexParameters2.kex_algorithms) && compareFirstOfNameList(kexParameters.server_host_key_algorithms, kexParameters2.server_host_key_algorithms);
    }

    private NegotiatedParameters mergeKexParameters(KexParameters kexParameters, KexParameters kexParameters2) {
        NegotiatedParameters negotiatedParameters = new NegotiatedParameters();
        try {
            negotiatedParameters.kex_algo = getFirstMatch(kexParameters.kex_algorithms, kexParameters2.kex_algorithms);
            Logger logger = log;
            logger.log(30, "kex_algo=" + negotiatedParameters.kex_algo);
            negotiatedParameters.server_host_key_algo = getFirstMatch(kexParameters.server_host_key_algorithms, kexParameters2.server_host_key_algorithms);
            logger.log(30, "server_host_key_algo=" + negotiatedParameters.server_host_key_algo);
            negotiatedParameters.enc_algo_client_to_server = getFirstMatch(kexParameters.encryption_algorithms_client_to_server, kexParameters2.encryption_algorithms_client_to_server);
            negotiatedParameters.enc_algo_server_to_client = getFirstMatch(kexParameters.encryption_algorithms_server_to_client, kexParameters2.encryption_algorithms_server_to_client);
            logger.log(30, "enc_algo_client_to_server=" + negotiatedParameters.enc_algo_client_to_server);
            logger.log(30, "enc_algo_server_to_client=" + negotiatedParameters.enc_algo_server_to_client);
            negotiatedParameters.mac_algo_client_to_server = getFirstMatch(kexParameters.mac_algorithms_client_to_server, kexParameters2.mac_algorithms_client_to_server);
            negotiatedParameters.mac_algo_server_to_client = getFirstMatch(kexParameters.mac_algorithms_server_to_client, kexParameters2.mac_algorithms_server_to_client);
            logger.log(30, "mac_algo_client_to_server=" + negotiatedParameters.mac_algo_client_to_server);
            logger.log(30, "mac_algo_server_to_client=" + negotiatedParameters.mac_algo_server_to_client);
            negotiatedParameters.comp_algo_client_to_server = getFirstMatch(kexParameters.compression_algorithms_client_to_server, kexParameters2.compression_algorithms_client_to_server);
            negotiatedParameters.comp_algo_server_to_client = getFirstMatch(kexParameters.compression_algorithms_server_to_client, kexParameters2.compression_algorithms_server_to_client);
            logger.log(30, "comp_algo_client_to_server=" + negotiatedParameters.comp_algo_client_to_server);
            logger.log(30, "comp_algo_server_to_client=" + negotiatedParameters.comp_algo_server_to_client);
            try {
                negotiatedParameters.lang_client_to_server = getFirstMatch(kexParameters.languages_client_to_server, kexParameters2.languages_client_to_server);
            } catch (NegotiateException unused) {
                negotiatedParameters.lang_client_to_server = null;
            }
            try {
                negotiatedParameters.lang_server_to_client = getFirstMatch(kexParameters.languages_server_to_client, kexParameters2.languages_server_to_client);
            } catch (NegotiateException unused2) {
                negotiatedParameters.lang_server_to_client = null;
            }
            if (isGuessOK(kexParameters, kexParameters2)) {
                negotiatedParameters.guessOK = true;
            }
            return negotiatedParameters;
        } catch (NegotiateException unused3) {
            return null;
        }
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2) throws IOException {
        for (KeyAlgorithm<PublicKey, PrivateKey> keyAlgorithm : KeyAlgorithmManager.getSupportedAlgorithms()) {
            if (keyAlgorithm.getKeyFormat().equals(this.kxs.np.server_host_key_algo)) {
                return keyAlgorithm.verifySignature(this.kxs.H, keyAlgorithm.decodeSignature(bArr), keyAlgorithm.decodePublicKey(bArr2));
            }
        }
        throw new IOException("Unknown server host key algorithm '" + this.kxs.np.server_host_key_algo + "'");
    }

    public ConnectionInfo getOrWaitForConnectionInfo(int i) throws IOException {
        ConnectionInfo connectionInfo;
        synchronized (this.accessLock) {
            while (true) {
                ConnectionInfo connectionInfo2 = this.lastConnInfo;
                if (connectionInfo2 != null && connectionInfo2.keyExchangeCounter >= i) {
                    connectionInfo = this.lastConnInfo;
                } else {
                    if (this.connectionClosed) {
                        throw new IOException("Key exchange was not finished, connection is closed.", this.tm.getReasonClosedCause());
                    }
                    try {
                        this.accessLock.wait();
                    } catch (InterruptedException unused) {
                        throw new InterruptedIOException();
                    }
                }
            }
        }
        return connectionInfo;
    }

    @Override // com.trilead.ssh2.transport.MessageHandler
    public void handleEndMessage(Throwable th) throws IOException {
        synchronized (this.accessLock) {
            this.connectionClosed = true;
            this.accessLock.notifyAll();
        }
    }

    @Override // com.trilead.ssh2.transport.MessageHandler
    public synchronized void handleMessage(byte[] bArr, int i) throws IOException {
        KexState kexState = this.kxs;
        if (kexState == null && bArr[0] != 20) {
            throw new IOException("Unexpected KEX message (type " + ((int) bArr[0]) + ")");
        }
        if (this.ignore_next_kex_packet) {
            this.ignore_next_kex_packet = false;
            return;
        }
        if (bArr[0] == 20) {
            if (kexState != null && kexState.state != 0) {
                throw new IOException("Unexpected SSH_MSG_KEXINIT message during on-going kex exchange!");
            }
            if (this.kxs == null) {
                KexState kexState2 = new KexState();
                this.kxs = kexState2;
                kexState2.dhgexParameters = this.nextKEXdhgexParameters;
                PacketKexInit packetKexInit = new PacketKexInit(this.nextKEXcryptoWishList, this.rnd);
                this.kxs.localKEX = packetKexInit;
                this.tm.sendKexMessage(packetKexInit.getPayload());
            }
            this.kxs.remoteKEX = new PacketKexInit(bArr, 0, i);
            KexState kexState3 = this.kxs;
            kexState3.np = mergeKexParameters(kexState3.localKEX.getKexParameters(), this.kxs.remoteKEX.getKexParameters());
            if (this.kxs.np == null) {
                throw new IOException("Cannot negotiate, proposals do not match.");
            }
            if (this.kxs.remoteKEX.isFirst_kex_packet_follows() && !this.kxs.np.guessOK) {
                this.ignore_next_kex_packet = true;
            }
            if (!this.kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha1") && !this.kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha256")) {
                if (!this.kxs.np.kex_algo.equals("diffie-hellman-group1-sha1") && !this.kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) {
                    throw new IllegalStateException("Unkown KEX method!");
                }
                this.kxs.dhx = new DhExchange("SHA1");
                if (this.kxs.np.kex_algo.equals("diffie-hellman-group1-sha1")) {
                    this.kxs.dhx.init(1, this.rnd);
                } else {
                    this.kxs.dhx.init(14, this.rnd);
                }
                this.tm.sendKexMessage(new PacketKexDHInit(this.kxs.dhx.getE()).getPayload());
                this.kxs.state = 1;
                KexState kexState4 = this.kxs;
                kexState4.setHashAlgorithm(kexState4.dhx.getHashAlgorithm());
                return;
            }
            if (this.kxs.dhgexParameters.getMin_group_len() == 0) {
                this.tm.sendKexMessage(new PacketKexDhGexRequestOld(this.kxs.dhgexParameters).getPayload());
            } else {
                this.tm.sendKexMessage(new PacketKexDhGexRequest(this.kxs.dhgexParameters).getPayload());
            }
            this.kxs.state = 1;
            if (this.kxs.np.kex_algo.endsWith("sha1")) {
                this.kxs.setHashAlgorithm("SHA1");
            } else {
                this.kxs.setHashAlgorithm(MessageDigestAlgorithms.SHA_256);
            }
            return;
        }
        if (bArr[0] == 21) {
            if (this.km == null) {
                throw new IOException("Peer sent SSH_MSG_NEWKEYS, but I have no key material ready!");
            }
            try {
                this.tm.changeRecvCipher(BlockCipherFactory.createCipher(kexState.np.enc_algo_server_to_client, false, this.km.enc_key_server_to_client, this.km.initial_iv_server_to_client), new MessageMac(this.kxs.np.mac_algo_server_to_client, this.km.integrity_key_server_to_client));
                ConnectionInfo connectionInfo = new ConnectionInfo();
                this.kexCount++;
                connectionInfo.keyExchangeAlgorithm = this.kxs.np.kex_algo;
                connectionInfo.keyExchangeCounter = this.kexCount;
                connectionInfo.clientToServerCryptoAlgorithm = this.kxs.np.enc_algo_client_to_server;
                connectionInfo.serverToClientCryptoAlgorithm = this.kxs.np.enc_algo_server_to_client;
                connectionInfo.clientToServerMACAlgorithm = this.kxs.np.mac_algo_client_to_server;
                connectionInfo.serverToClientMACAlgorithm = this.kxs.np.mac_algo_server_to_client;
                connectionInfo.serverHostKeyAlgorithm = this.kxs.np.server_host_key_algo;
                connectionInfo.serverHostKey = this.kxs.hostkey;
                synchronized (this.accessLock) {
                    this.lastConnInfo = connectionInfo;
                    this.accessLock.notifyAll();
                }
                this.kxs = null;
                return;
            } catch (IllegalArgumentException unused) {
                throw new IOException("Fatal error during MAC startup!");
            }
        }
        if (kexState == null || kexState.state == 0) {
            throw new IOException("Unexpected Kex submessage!");
        }
        if (!this.kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha1") && !this.kxs.np.kex_algo.equals("diffie-hellman-group-exchange-sha256")) {
            if ((!this.kxs.np.kex_algo.equals("diffie-hellman-group1-sha1") && !this.kxs.np.kex_algo.equals("diffie-hellman-group14-sha1")) || this.kxs.state != 1) {
                throw new IllegalStateException("Unkown KEX method! (" + this.kxs.np.kex_algo + ")");
            }
            PacketKexDHReply packetKexDHReply = new PacketKexDHReply(bArr, 0, i);
            this.kxs.hostkey = packetKexDHReply.getHostKey();
            ServerHostKeyVerifier serverHostKeyVerifier = this.verifier;
            if (serverHostKeyVerifier != null) {
                try {
                    if (!serverHostKeyVerifier.verifyServerHostKey(this.hostname, this.port, this.kxs.np.server_host_key_algo, this.kxs.hostkey)) {
                        throw new IOException("The server hostkey was not accepted by the verifier callback");
                    }
                } catch (Exception e) {
                    throw new IOException("The server hostkey was not accepted by the verifier callback.", e);
                }
            }
            this.kxs.dhx.setF(packetKexDHReply.getF());
            try {
                KexState kexState5 = this.kxs;
                kexState5.H = kexState5.dhx.calculateH(this.csh.getClientString(), this.csh.getServerString(), this.kxs.localKEX.getPayload(), this.kxs.remoteKEX.getPayload(), packetKexDHReply.getHostKey());
                if (!verifySignature(packetKexDHReply.getSignature(), this.kxs.hostkey)) {
                    throw new IOException("Hostkey signature sent by remote is wrong!");
                }
                KexState kexState6 = this.kxs;
                kexState6.K = kexState6.dhx.getK();
                finishKex();
                this.kxs.state = -1;
                return;
            } catch (IllegalArgumentException e2) {
                throw new IOException("KEX error.", e2);
            }
        }
        if (this.kxs.state == 1) {
            PacketKexDhGexGroup packetKexDhGexGroup = new PacketKexDhGexGroup(bArr, 0, i);
            this.kxs.dhgx = new DhGroupExchange(this.kxs.getHashAlgorithm(), packetKexDhGexGroup.getP(), packetKexDhGexGroup.getG());
            this.kxs.dhgx.init(this.rnd);
            this.tm.sendKexMessage(new PacketKexDhGexInit(this.kxs.dhgx.getE()).getPayload());
            this.kxs.state = 2;
            return;
        }
        if (this.kxs.state != 2) {
            throw new IllegalStateException("Illegal State in KEX Exchange!");
        }
        PacketKexDhGexReply packetKexDhGexReply = new PacketKexDhGexReply(bArr, 0, i);
        this.kxs.hostkey = packetKexDhGexReply.getHostKey();
        ServerHostKeyVerifier serverHostKeyVerifier2 = this.verifier;
        if (serverHostKeyVerifier2 != null) {
            try {
                if (!serverHostKeyVerifier2.verifyServerHostKey(this.hostname, this.port, this.kxs.np.server_host_key_algo, this.kxs.hostkey)) {
                    throw new IOException("The server hostkey was not accepted by the verifier callback");
                }
            } catch (Exception e3) {
                throw new IOException("The server hostkey was not accepted by the verifier callback.", e3);
            }
        }
        this.kxs.dhgx.setF(packetKexDhGexReply.getF());
        try {
            KexState kexState7 = this.kxs;
            kexState7.H = kexState7.dhgx.calculateH(this.csh.getClientString(), this.csh.getServerString(), this.kxs.localKEX.getPayload(), this.kxs.remoteKEX.getPayload(), packetKexDhGexReply.getHostKey(), this.kxs.dhgexParameters);
            if (!verifySignature(packetKexDhGexReply.getSignature(), this.kxs.hostkey)) {
                throw new IOException("Hostkey signature sent by remote is wrong!");
            }
            KexState kexState8 = this.kxs;
            kexState8.K = kexState8.dhgx.getK();
            finishKex();
            this.kxs.state = -1;
            return;
        } catch (IllegalArgumentException e4) {
            throw new IOException("KEX error.", e4);
        }
    }

    public synchronized void initiateKEX(CryptoWishList cryptoWishList, DHGexParameters dHGexParameters) throws IOException {
        this.nextKEXcryptoWishList = cryptoWishList;
        this.nextKEXdhgexParameters = dHGexParameters;
        if (this.kxs == null) {
            KexState kexState = new KexState();
            this.kxs = kexState;
            kexState.dhgexParameters = this.nextKEXdhgexParameters;
            PacketKexInit packetKexInit = new PacketKexInit(this.nextKEXcryptoWishList, this.rnd);
            this.kxs.localKEX = packetKexInit;
            this.tm.sendKexMessage(packetKexInit.getPayload());
        }
    }
}
