package tuwien.auto.calimero.secure;

import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.util.Arrays;
import java.util.BitSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.IntUnaryOperator;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import tuwien.auto.calimero.CloseEvent;
import tuwien.auto.calimero.DataUnitBuilder;
import tuwien.auto.calimero.FrameEvent;
import tuwien.auto.calimero.GroupAddress;
import tuwien.auto.calimero.IndividualAddress;
import tuwien.auto.calimero.KNXAddress;
import tuwien.auto.calimero.KNXException;
import tuwien.auto.calimero.KNXFormatException;
import tuwien.auto.calimero.KNXIllegalArgumentException;
import tuwien.auto.calimero.KNXTimeoutException;
import tuwien.auto.calimero.Priority;
import tuwien.auto.calimero.ReturnCode;
import tuwien.auto.calimero.SerialNumber;
import tuwien.auto.calimero.cemi.CEMI;
import tuwien.auto.calimero.cemi.CEMIFactory;
import tuwien.auto.calimero.cemi.CEMILData;
import tuwien.auto.calimero.internal.EventListeners;
import tuwien.auto.calimero.link.KNXLinkClosedException;
import tuwien.auto.calimero.link.KNXNetworkLink;
import tuwien.auto.calimero.link.NetworkLinkListener;
import tuwien.auto.calimero.log.LogService;
import tuwien.auto.calimero.secure.SecurityControl;

/* loaded from: input_file:tuwien/auto/calimero/secure/SecureApplicationLayer.class */
public class SecureApplicationLayer implements AutoCloseable {
    public static final int SecureService = 1009;
    protected static final int InvalidScf = 1;
    protected static final int SeqNoError = 2;
    protected static final int CryptoError = 3;
    protected static final int AccessAndRoleError = 4;
    static boolean test;
    static final int SecureDataPdu = 0;
    static final int SecureSyncRequest = 2;
    static final int SecureSyncResponse = 3;
    private static final int MacSize = 4;
    private static final int SeqSize = 6;
    private final KNXNetworkLink link;
    private final SerialNumber serialNumber;
    private final Logger logger;
    private volatile long sequenceNumber;
    private volatile long sequenceNumberToolAccess;
    private final Map<IndividualAddress, Long> lastValidSequence;
    private final Map<IndividualAddress, Long> lastValidSequenceToolAccess;
    private final Security security;
    private volatile Instant lastSyncRes;
    final Map<IndividualAddress, SyncRequest> pendingSyncRequests;
    private final Map<SerialNumber, SyncRequest> pendingBcSyncRequests;
    final ThreadLocal<Long> syncChallenge;
    private static final int FunctionPropertyExtCommand = 468;
    private static final int FunctionPropertyExtStateResponse = 470;
    private static final int GroupObjectTableType = 9;
    private static final int pidGoDiagnostics = 66;
    private final Map<IndividualAddress, CompletableFuture<ReturnCode>> pendingGoDiagnostics;
    private final AtomicInteger scfErrors;
    private final AtomicInteger seqErrors;
    private final AtomicInteger cryptoErrors;
    private final AtomicInteger accessAndRoleErrors;
    private final EventListeners<NetworkLinkListener> listeners;
    private final NetworkLinkListener linkListener;
    private static final String secureSymbol = new String(Character.toChars(128274));
    private static final IntUnaryOperator saturatingIncrement = i -> {
        return Math.min(i + 1, 65535);
    };
    private static final SecureRandom rng = new SecureRandom();

    /* loaded from: input_file:tuwien/auto/calimero/secure/SecureApplicationLayer$SalService.class */
    public final class SalService {
        private final SecurityControl ctrl;
        private final byte[] apdu;

        SalService(SecurityControl securityControl, byte[] bArr) {
            this.apdu = bArr;
            this.ctrl = securityControl;
        }

        public SecurityControl security() {
            return this.ctrl;
        }

        public byte[] apdu() {
            return (byte[]) this.apdu.clone();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:tuwien/auto/calimero/secure/SecureApplicationLayer$SyncRequest.class */
    public static final class SyncRequest {
        private static final Duration SyncTimeout = Duration.ofSeconds(6);
        final long challenge;
        final CompletableFuture<Void> future = new CompletableFuture().orTimeout(SyncTimeout.toSeconds(), TimeUnit.SECONDS);
        private final byte[] key;

        SyncRequest(long j, byte[] bArr) {
            this.challenge = j;
            this.key = (byte[]) bArr.clone();
        }

        byte[] key() {
            return this.key;
        }

        void complete() {
            this.future.complete(null);
        }
    }

    public static final boolean isSecuredService(CEMILData cEMILData) {
        byte[] payload = cEMILData.getPayload();
        return payload.length >= 2 && DataUnitBuilder.getAPDUService(payload) == 1009;
    }

    public SecureApplicationLayer(KNXNetworkLink kNXNetworkLink, Security security) {
        this(kNXNetworkLink, SerialNumber.Zero, 0L, security);
        kNXNetworkLink.addLinkListener(this.linkListener);
    }

    public SecureApplicationLayer(KNXNetworkLink kNXNetworkLink, Map<GroupAddress, byte[]> map, Map<GroupAddress, Set<IndividualAddress>> map2, Map<IndividualAddress, byte[]> map3) {
        this(kNXNetworkLink, SerialNumber.Zero, 0L, Security.withKeys(map3, map, map2));
        kNXNetworkLink.addLinkListener(this.linkListener);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecureApplicationLayer(KNXNetworkLink kNXNetworkLink, SerialNumber serialNumber, long j, Map<IndividualAddress, byte[]> map) {
        this(kNXNetworkLink, serialNumber, j, Security.withKeys(map, Map.of(), Map.of()));
    }

    private SecureApplicationLayer(KNXNetworkLink kNXNetworkLink, SerialNumber serialNumber, long j, Security security) {
        this.lastValidSequence = new ConcurrentHashMap();
        this.lastValidSequenceToolAccess = new ConcurrentHashMap();
        this.lastSyncRes = Instant.EPOCH;
        this.pendingSyncRequests = new ConcurrentHashMap();
        this.pendingBcSyncRequests = new ConcurrentHashMap();
        this.syncChallenge = ThreadLocal.withInitial(() -> {
            return 0L;
        });
        this.pendingGoDiagnostics = new ConcurrentHashMap();
        this.scfErrors = new AtomicInteger();
        this.seqErrors = new AtomicInteger();
        this.cryptoErrors = new AtomicInteger();
        this.accessAndRoleErrors = new AtomicInteger();
        this.listeners = new EventListeners<>();
        this.linkListener = new NetworkLinkListener() { // from class: tuwien.auto.calimero.secure.SecureApplicationLayer.1
            @Override // tuwien.auto.calimero.link.LinkListener
            public void indication(FrameEvent frameEvent) {
                Optional<FrameEvent> extract = SecureApplicationLayer.this.extract(frameEvent);
                SecureApplicationLayer secureApplicationLayer = SecureApplicationLayer.this;
                extract.ifPresent(secureApplicationLayer::dispatchLinkEvent);
            }

            @Override // tuwien.auto.calimero.link.NetworkLinkListener
            public void confirmation(FrameEvent frameEvent) {
                Optional<FrameEvent> extract = SecureApplicationLayer.this.extract(frameEvent);
                SecureApplicationLayer secureApplicationLayer = SecureApplicationLayer.this;
                extract.ifPresent(secureApplicationLayer::dispatchLinkEvent);
            }

            @Override // tuwien.auto.calimero.link.LinkListener
            public void linkClosed(CloseEvent closeEvent) {
                SecureApplicationLayer.this.listeners.fire(networkLinkListener -> {
                    networkLinkListener.linkClosed(closeEvent);
                });
            }
        };
        this.link = kNXNetworkLink;
        this.serialNumber = serialNumber;
        this.logger = LogService.getLogger("calimero." + secureSymbol + "-AL " + kNXNetworkLink.getName());
        this.security = security;
        this.sequenceNumber = j;
        this.sequenceNumberToolAccess = 1L;
    }

    public void addListener(NetworkLinkListener networkLinkListener) {
        this.listeners.add(networkLinkListener);
    }

    public void removeListener(NetworkLinkListener networkLinkListener) {
        this.listeners.remove(networkLinkListener);
    }

    public Optional<byte[]> secureGroupObject(IndividualAddress individualAddress, GroupAddress groupAddress, byte[] bArr) throws InterruptedException {
        int groupObjectSecurity = groupObjectSecurity(groupAddress);
        boolean z = (groupObjectSecurity & 2) == 2;
        boolean z2 = (groupObjectSecurity & 1) == 1;
        if (!z && !z2) {
            return Optional.empty();
        }
        return secureData(individualAddress, groupAddress, bArr, SecurityControl.of(z ? SecurityControl.DataSecurity.AuthConf : SecurityControl.DataSecurity.Auth, this.sequenceNumber == 0));
    }

    public CompletableFuture<ReturnCode> writeGroupObjectDiagnostics(GroupAddress groupAddress, byte[] bArr) throws KNXTimeoutException, KNXLinkClosedException, InterruptedException {
        int i = bArr.length == 0 ? 3 : 1;
        SecurityControl.DataSecurity dataSecurity = SecurityControl.DataSecurity.AuthConf;
        byte[] createAPDU = DataUnitBuilder.createAPDU(FunctionPropertyExtCommand, ByteBuffer.allocate(10 + bArr.length).putShort((short) 9).put((byte) 0).put((byte) 16).put((byte) 66).put((byte) 0).put((byte) i).put((byte) (((bArr.length != 1 || bArr[0] >= 64) ? false : false ? 128 : 0) | (dataSecurity == SecurityControl.DataSecurity.AuthConf ? 3 : dataSecurity == SecurityControl.DataSecurity.Auth ? 1 : 0))).put(groupAddress.toByteArray()).put(bArr).array());
        IndividualAddress surrogate = surrogate(groupAddress);
        byte[] bArr2 = secureData(address(), surrogate, createAPDU, SecurityControl.of(SecurityControl.DataSecurity.AuthConf, true)).get();
        this.logger.trace("{}->{} GO diagnostics {} {}", new Object[]{address(), surrogate, Integer.valueOf(i), DataUnitBuilder.toHex(bArr, " ")});
        send(surrogate, bArr2);
        CompletableFuture<ReturnCode> orTimeout = new CompletableFuture().orTimeout(3L, TimeUnit.SECONDS);
        this.pendingGoDiagnostics.put(surrogate, orTimeout);
        return orTimeout.whenComplete((returnCode, th) -> {
            this.pendingGoDiagnostics.remove(surrogate);
        });
    }

    private void checkGoDiagnosticsResponse(IndividualAddress individualAddress, IndividualAddress individualAddress2, int i, byte[] bArr) {
        if (i != FunctionPropertyExtStateResponse || bArr.length < 9) {
            return;
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr, 2, bArr.length - 2);
        if ((wrap.getShort() & 65535) != 9) {
            return;
        }
        int i2 = wrap.getShort() & 65535;
        if (((i2 >> 4) & 4095) == 1 && (((i2 & 15) << 8) | (wrap.get() & 255)) == 66) {
            ReturnCode of = ReturnCode.of(wrap.get() & 255);
            this.logger.trace("{}->{} GO diagnostics {} {}", new Object[]{individualAddress, individualAddress2, Integer.valueOf(wrap.get() & 255), of});
            CompletableFuture<ReturnCode> completableFuture = this.pendingGoDiagnostics.get(individualAddress);
            if (completableFuture != null) {
                completableFuture.complete(of);
            }
        }
    }

    public Optional<byte[]> secureBroadcastData(IndividualAddress individualAddress, SerialNumber serialNumber, IndividualAddress individualAddress2, byte[] bArr, SecurityControl securityControl) throws InterruptedException {
        if (securityControl == SecurityControl.Plain) {
            return Optional.of(bArr);
        }
        boolean z = securityControl.toolAccess();
        byte[] bArr2 = this.security.broadcastToolKeys().get(serialNumber);
        if (bArr2 == null) {
            bArr2 = lookupKey(individualAddress2, z);
        }
        if (bArr2 == null) {
            return Optional.empty();
        }
        if (nextSequenceNumber(z) <= 1) {
            try {
                broadcastSyncRequest(serialNumber, bArr2, z, securityControl.systemBroadcast()).get();
            } catch (ExecutionException e) {
                throw new KnxSecureException("sync.req with " + individualAddress2, e.getCause());
            } catch (KNXTimeoutException | KNXLinkClosedException e2) {
                throw new KnxSecureException("sync.req with " + individualAddress2, e2);
            }
        }
        Optional<byte[]> secure = secure(0, individualAddress, GroupAddress.Broadcast, bArr, securityControl, bArr2);
        updateSequenceNumber(z, nextSequenceNumber(z) + 1);
        return secure;
    }

    public Optional<byte[]> secureData(IndividualAddress individualAddress, KNXAddress kNXAddress, byte[] bArr, SecurityControl securityControl) throws InterruptedException {
        if (securityControl == SecurityControl.Plain) {
            return Optional.of(bArr);
        }
        boolean z = securityControl.toolAccess();
        if (kNXAddress.equals(GroupAddress.Broadcast) && !z) {
            throw new KNXIllegalArgumentException("p2p broadcast not supported");
        }
        byte[] lookupKey = lookupKey(kNXAddress, z);
        if (lookupKey == null) {
            return Optional.empty();
        }
        if (nextSequenceNumber(z) <= 1) {
            syncWith(kNXAddress, z);
        }
        Optional<byte[]> secure = secure(0, individualAddress, kNXAddress, bArr, securityControl, lookupKey);
        updateSequenceNumber(z, nextSequenceNumber(z) + 1);
        return secure;
    }

    Optional<byte[]> secure(int i, IndividualAddress individualAddress, IndividualAddress individualAddress2, byte[] bArr, SecurityControl securityControl) {
        return secure(i, individualAddress, individualAddress2, bArr, securityControl, lookupKey(individualAddress2, securityControl.toolAccess()));
    }

    private Optional<byte[]> secure(int i, IndividualAddress individualAddress, KNXAddress kNXAddress, byte[] bArr, SecurityControl securityControl, byte[] bArr2) {
        return secure(i, individualAddress, SerialNumber.Zero, kNXAddress, bArr, securityControl, bArr2);
    }

    private Optional<byte[]> secure(int i, IndividualAddress individualAddress, SerialNumber serialNumber, KNXAddress kNXAddress, byte[] bArr, SecurityControl securityControl, byte[] bArr2) {
        boolean systemBroadcast = securityControl.systemBroadcast();
        if (systemBroadcast && !kNXAddress.equals(GroupAddress.Broadcast)) {
            throw new KNXIllegalArgumentException("system broadcast requires broadcast address");
        }
        boolean z = securityControl.toolAccess();
        if (z) {
            if (securityControl.security() != SecurityControl.DataSecurity.AuthConf) {
                throw new KNXIllegalArgumentException("tool access requires auth+conf security");
            }
            if ((kNXAddress instanceof GroupAddress) && kNXAddress.getRawAddress() != 0) {
                throw new KNXIllegalArgumentException("tool access requires individual address");
            }
        } else if (systemBroadcast) {
            throw new KNXIllegalArgumentException("system broadcast requires tool access");
        }
        boolean z2 = i == 2;
        boolean z3 = i == 3;
        ByteBuffer allocate = ByteBuffer.allocate(9 + (z2 ? 6 : 0) + bArr.length + 4);
        int tpci = tpci(kNXAddress) | 3;
        allocate.put((byte) tpci);
        allocate.put((byte) -15);
        int securityCtrlField = toSecurityCtrlField(i, securityControl);
        allocate.put((byte) securityCtrlField);
        long nextSequenceNumber = nextSequenceNumber(z);
        if (nextSequenceNumber == 0) {
            throw new KnxSecureException("0 is not a valid sequence number");
        }
        this.logger.trace("use {}sequence {}", z ? "tool access " : "", Long.valueOf(nextSequenceNumber));
        ByteBuffer sixBytes = sixBytes(nextSequenceNumber);
        if (!z3) {
            allocate.put(sixBytes);
        }
        ByteBuffer put = ByteBuffer.allocate(z2 ? 7 : 1).put((byte) securityCtrlField);
        byte[] seqOrRand = seqOrRand(i, sixBytes.array());
        if (z2) {
            byte[] array = serialNumber.array();
            allocate.put(array);
            put.put(array);
        } else if (z3) {
            BitSet valueOf = BitSet.valueOf(seqOrRand);
            valueOf.xor(BitSet.valueOf(sixBytes(this.syncChallenge.get().longValue())));
            allocate.put(valueOf.toByteArray());
        }
        byte[] block0 = block0(seqOrRand, individualAddress, kNXAddress, 0, tpci, SecureService, bArr.length);
        byte[] blockCtr0 = blockCtr0(seqOrRand, individualAddress, kNXAddress);
        try {
            if (securityControl.security() == SecurityControl.DataSecurity.AuthConf) {
                byte[] encrypt = encrypt(ByteBuffer.allocate(4 + bArr.length).put(confMac(put.array(), bArr, bArr2, block0)).put(bArr).array(), bArr2, blockCtr0);
                allocate.put(encrypt, 4, bArr.length);
                allocate.put(encrypt, 0, 4);
            } else {
                allocate.put(bArr);
                allocate.put(mac(bArr, bArr2, block0, blockCtr0));
            }
            return Optional.of(allocate.array());
        } catch (GeneralSecurityException e) {
            securityFailure(3, individualAddress, kNXAddress, nextSequenceNumber);
            throw new KnxSecureException(String.format("securing %s->%s", individualAddress, kNXAddress), e);
        }
    }

    public SalService extract(CEMILData cEMILData) {
        byte[] payload = cEMILData.getPayload();
        if (payload.length >= 2 && DataUnitBuilder.getAPDUService(payload) == 1009) {
            if (payload.length >= 14) {
                return extract(cEMILData.getSource(), cEMILData.getDestination(), payload);
            }
            securityFailure(3, cEMILData.getSource(), cEMILData.getDestination(), 0L);
            throw new KnxSecureException("frame length " + payload.length + " too short for a secure frame");
        }
        return new SalService(SecurityControl.Plain, payload);
    }

    SalService extract(IndividualAddress individualAddress, KNXAddress kNXAddress, byte[] bArr) {
        int aPDUService = DataUnitBuilder.getAPDUService(bArr);
        if (aPDUService != 1009) {
            throw new KNXIllegalArgumentException(String.format("%s is not a secure service", DataUnitBuilder.decodeAPCI(aPDUService)));
        }
        return decrypt(individualAddress, kNXAddress, bArr[0] & 255, DataUnitBuilder.extractASDU(bArr));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<FrameEvent> extract(FrameEvent frameEvent) {
        CEMI frame = frameEvent.getFrame();
        if (!(frame instanceof CEMILData)) {
            return Optional.of(frameEvent);
        }
        try {
            try {
                SalService extract = extract((CEMILData) frame);
                if (extract.apdu().length == 0) {
                    return Optional.empty();
                }
                if (extract.security() == SecurityControl.Plain) {
                    return Optional.of(frameEvent);
                }
                return Optional.of(new FrameEvent(frameEvent.getSource(), CEMIFactory.create(frame.getMessageCode(), extract.apdu(), frame), frameEvent.systemBroadcast(), extract.security()));
            } catch (RuntimeException | KNXFormatException e) {
                this.logger.warn(e.toString());
                return Optional.empty();
            }
        } catch (KnxSecureException e2) {
            this.logger.info(e2.toString());
            return Optional.empty();
        }
    }

    public SalService decrypt(IndividualAddress individualAddress, KNXAddress kNXAddress, int i, byte[] bArr) {
        byte[] copyOfRange;
        byte[] securityKey;
        ByteBuffer wrap = ByteBuffer.wrap(bArr, 0, bArr.length);
        int i2 = wrap.get() & 255;
        Object[] parseSecurityCtrlField = parseSecurityCtrlField(i2, individualAddress, kNXAddress, 0L);
        SecurityControl securityControl = (SecurityControl) parseSecurityCtrlField[0];
        int intValue = ((Integer) parseSecurityCtrlField[1]).intValue();
        boolean z = securityControl.toolAccess();
        boolean z2 = intValue == 2;
        boolean z3 = intValue == 3;
        byte[] bArr2 = null;
        SyncRequest syncRequest = null;
        if (z3) {
            if (kNXAddress.equals(GroupAddress.Broadcast)) {
                Iterator<Map.Entry<SerialNumber, SyncRequest>> it = this.pendingBcSyncRequests.entrySet().iterator();
                if (it.hasNext()) {
                    syncRequest = it.next().getValue();
                    bArr2 = syncRequest.key();
                    if (it.hasNext()) {
                        this.logger.warn("multiple sync.req broadcasts, only first is checked");
                    }
                }
            } else {
                syncRequest = this.pendingSyncRequests.get(individualAddress);
            }
            if (syncRequest == null) {
                return new SalService(securityControl, new byte[0]);
            }
        }
        boolean equals = kNXAddress.equals(GroupAddress.Broadcast);
        boolean z4 = (kNXAddress instanceof GroupAddress) && !equals;
        if (bArr2 == null) {
            if (z4) {
                securityKey = securityKey(kNXAddress);
            } else if (z) {
                securityKey = toolKey((!individualAddress.equals(address()) || equals) ? individualAddress : (IndividualAddress) kNXAddress);
            } else {
                securityKey = securityKey(individualAddress);
            }
            bArr2 = securityKey;
        }
        if (bArr2 == null) {
            return new SalService(securityControl, new byte[0]);
        }
        byte[] bArr3 = new byte[6];
        wrap.get(bArr3);
        long j = toLong(bArr3);
        if (z4 && z) {
            securityFailure(4, individualAddress, kNXAddress, j);
            throw new KnxSecureException(String.format("%s->%s group service with tool access", individualAddress, kNXAddress));
        }
        byte[] bArr4 = new byte[6];
        if (intValue == 0) {
            long lastValidSequenceNumber = lastValidSequenceNumber(z, individualAddress) + 1;
            if (j < lastValidSequenceNumber) {
                securityFailure(2, individualAddress, kNXAddress, j);
                throw new KnxSecureException(String.format("%s->%s received sequence number %d < %d (expected)", individualAddress, kNXAddress, Long.valueOf(j), Long.valueOf(lastValidSequenceNumber)));
            }
        } else if (z2) {
            wrap.get(bArr4);
            if (!this.serialNumber.equals(SerialNumber.from(bArr4)) && (securityControl.systemBroadcast() || !kNXAddress.equals(address()) || !Arrays.equals(bArr4, new byte[6]))) {
                return new SalService(securityControl, new byte[0]);
            }
            if (Instant.now().minusSeconds(1L).isBefore(this.lastSyncRes)) {
                return new SalService(securityControl, new byte[0]);
            }
        } else if (z3) {
            BitSet valueOf = BitSet.valueOf(bArr3);
            valueOf.xor(BitSet.valueOf(sixBytes(((SyncRequest) Objects.requireNonNull(syncRequest)).challenge)));
            bArr3 = valueOf.toByteArray();
        }
        this.logger.debug("{}->{} decrypt {} ({})", new Object[]{individualAddress, kNXAddress, intValue == 2 ? "sync.req" : intValue == 3 ? "sync.res" : "S-A_Data", securityControl});
        byte[] bArr5 = new byte[wrap.remaining() - 4];
        wrap.get(bArr5);
        byte[] blockCtr0 = blockCtr0(bArr3, individualAddress, kNXAddress);
        byte[] bArr6 = new byte[4];
        wrap.get(bArr6);
        byte[] block0 = block0(bArr3, individualAddress, kNXAddress, 0, i, SecureService, bArr5.length);
        if (securityControl.security() == SecurityControl.DataSecurity.Auth) {
            copyOfRange = bArr5;
            try {
                verifyMac(bArr6, mac(copyOfRange, bArr2, block0, blockCtr0), individualAddress, kNXAddress, j);
            } catch (GeneralSecurityException e) {
                securityFailure(3, individualAddress, kNXAddress, j);
                throw new KnxSecureException(String.format("calculating MAC %s->%s", individualAddress, kNXAddress), e);
            }
        } else {
            try {
                byte[] decrypt = decrypt(ByteBuffer.allocate(4 + bArr5.length).put(bArr6).put(bArr5).array(), bArr2, blockCtr0);
                byte[] copyOfRange2 = Arrays.copyOfRange(decrypt, 0, 4);
                copyOfRange = Arrays.copyOfRange(decrypt, 4, decrypt.length);
                ByteBuffer put = ByteBuffer.allocate(z2 ? 7 : 1).put((byte) i2);
                if (z2) {
                    put.put(bArr4);
                }
                try {
                    verifyMac(copyOfRange2, confMac(put.array(), copyOfRange, bArr2, block0), individualAddress, kNXAddress, j);
                    if (z2 && individualAddress.equals(address())) {
                        return new SalService(securityControl, new byte[0]);
                    }
                    if (z2) {
                        receivedSyncRequest(individualAddress, kNXAddress, z, securityControl.systemBroadcast(), bArr3, toLong(copyOfRange));
                        return new SalService(securityControl, new byte[0]);
                    }
                    if (z3) {
                        ((SyncRequest) Objects.requireNonNull(syncRequest)).complete();
                        receivedSyncResponse(individualAddress, z, copyOfRange);
                        return new SalService(securityControl, new byte[0]);
                    }
                } catch (GeneralSecurityException e2) {
                    securityFailure(3, individualAddress, kNXAddress, j);
                    throw new KnxSecureException(String.format("calculating MAC %s->%s", individualAddress, kNXAddress), e2);
                }
            } catch (GeneralSecurityException e3) {
                securityFailure(3, individualAddress, kNXAddress, j);
                throw new KnxSecureException(String.format("decrypting %s->%s", individualAddress, kNXAddress), e3);
            }
        }
        if (individualAddress.equals(address())) {
            this.logger.trace("update next {}seq -> {}", z ? "tool access " : "", Long.valueOf(j));
            updateSequenceNumber(z, j + 1);
        } else {
            Logger logger = this.logger;
            Object[] objArr = new Object[3];
            objArr[0] = z ? "tool access " : "";
            objArr[1] = individualAddress;
            objArr[2] = Long.valueOf(j);
            logger.trace("update last valid {}seq of {} -> {}", objArr);
            updateLastValidSequence(z, individualAddress, j);
        }
        int aPDUService = DataUnitBuilder.getAPDUService(copyOfRange);
        if (kNXAddress instanceof IndividualAddress) {
            checkGoDiagnosticsResponse(individualAddress, (IndividualAddress) kNXAddress, aPDUService, copyOfRange);
        }
        if (checkAccess(kNXAddress, aPDUService, securityControl)) {
            return new SalService(securityControl, copyOfRange);
        }
        securityFailure(4, individualAddress, kNXAddress, j);
        throw new KnxSecureException(String.format("%s->%s denied access for %s (%s)", individualAddress, kNXAddress, DataUnitBuilder.decodeAPCI(aPDUService), securityControl));
    }

    private void verifyMac(byte[] bArr, byte[] bArr2, IndividualAddress individualAddress, KNXAddress kNXAddress, long j) {
        if (Arrays.equals(bArr2, bArr)) {
            return;
        }
        securityFailure(3, individualAddress, kNXAddress, j);
        throw new KnxSecureException(String.format("MAC mismatch %s->%s", individualAddress, kNXAddress));
    }

    public CompletableFuture<Void> sendSyncRequest(IndividualAddress individualAddress, boolean z) throws KNXTimeoutException, KNXLinkClosedException {
        long nextLong = ThreadLocalRandom.current().nextLong();
        byte[] bArr = secure(2, address(), individualAddress, sixBytes(nextLong).array(), SecurityControl.of(SecurityControl.DataSecurity.AuthConf, z)).get();
        this.logger.debug("sync {} seq with {}", z ? "tool access" : "p2p", individualAddress);
        SyncRequest stashSyncRequest = stashSyncRequest(individualAddress, nextLong);
        send(individualAddress, bArr);
        return stashSyncRequest.future;
    }

    SyncRequest stashSyncRequest(IndividualAddress individualAddress, long j) {
        SyncRequest syncRequest = new SyncRequest(j, new byte[0]);
        syncRequest.future.whenComplete((r5, th) -> {
            this.pendingSyncRequests.remove(individualAddress);
        });
        this.pendingSyncRequests.put(individualAddress, syncRequest);
        return syncRequest;
    }

    public CompletableFuture<AutoCloseable> broadcastSyncRequest(SerialNumber serialNumber, byte[] bArr, boolean z, boolean z2) throws KNXTimeoutException, KNXLinkClosedException {
        if (z2 && !z) {
            throw new KNXIllegalArgumentException("system broadcast requires tool access");
        }
        long nextLong = ThreadLocalRandom.current().nextLong();
        byte[] bArr2 = secure(2, address(), serialNumber, GroupAddress.Broadcast, sixBytes(nextLong).array(), z2 ? SecurityControl.SystemBroadcast : SecurityControl.of(SecurityControl.DataSecurity.AuthConf, z), bArr).get();
        Logger logger = this.logger;
        Object[] objArr = new Object[3];
        objArr[0] = z2 ? "SBC" : "broadcast";
        objArr[1] = serialNumber;
        objArr[2] = z ? "tool access" : "p2p";
        logger.debug("{} sync for S/N {} ({})", objArr);
        SyncRequest syncRequest = new SyncRequest(nextLong, bArr);
        this.pendingBcSyncRequests.put(serialNumber, syncRequest);
        AutoCloseable autoCloseable = () -> {
            byte[] remove = this.security.broadcastToolKeys().remove(serialNumber);
            if (remove != null) {
                Arrays.fill(remove, (byte) 0);
            }
        };
        CompletableFuture thenApply = syncRequest.future.whenComplete((r7, th) -> {
            this.pendingBcSyncRequests.remove(serialNumber);
            if (th != null) {
                Arrays.fill(syncRequest.key(), (byte) 0);
            } else {
                this.security.broadcastToolKeys().put(serialNumber, syncRequest.key());
            }
        }).thenApply(r3 -> {
            return autoCloseable;
        });
        send(z2 ? null : GroupAddress.Broadcast, bArr2);
        return thenApply;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        this.link.removeLinkListener(this.linkListener);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Security security() {
        return this.security;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void dispatchLinkEvent(FrameEvent frameEvent) {
        CEMI frame = frameEvent.getFrame();
        if (frame.getMessageCode() == 41) {
            this.listeners.fire(networkLinkListener -> {
                networkLinkListener.indication(frameEvent);
            });
        } else if (frame.getMessageCode() == 46) {
            this.listeners.fire(networkLinkListener2 -> {
                networkLinkListener2.confirmation(frameEvent);
            });
        }
    }

    private byte[] lookupKey(KNXAddress kNXAddress, boolean z) {
        if (z) {
            return toolKey(kNXAddress.getRawAddress() == 0 ? address() : (IndividualAddress) kNXAddress);
        }
        return securityKey(kNXAddress);
    }

    protected byte[] toolKey(IndividualAddress individualAddress) {
        return this.security.deviceToolKeys().get(individualAddress);
    }

    protected byte[] securityKey(KNXAddress kNXAddress) {
        if (!(kNXAddress instanceof GroupAddress)) {
            return null;
        }
        GroupAddress groupAddress = (GroupAddress) kNXAddress;
        byte[] bArr = this.security.groupKeys().get(groupAddress);
        if (bArr == null) {
            throw new KnxSecureException("no group key for " + groupAddress);
        }
        return bArr;
    }

    long nextSequenceNumber(boolean z) {
        return z ? this.sequenceNumberToolAccess : this.sequenceNumber;
    }

    protected void updateSequenceNumber(boolean z, long j) {
        if (z) {
            this.sequenceNumberToolAccess = j;
        } else {
            this.sequenceNumber = j;
        }
    }

    protected long lastValidSequenceNumber(boolean z, IndividualAddress individualAddress) {
        return z ? this.lastValidSequenceToolAccess.getOrDefault(individualAddress, 0L).longValue() : this.lastValidSequence.getOrDefault(individualAddress, 0L).longValue();
    }

    protected void updateLastValidSequence(boolean z, IndividualAddress individualAddress, long j) {
        if (z) {
            this.lastValidSequenceToolAccess.put(individualAddress, Long.valueOf(j));
        } else {
            this.lastValidSequence.put(individualAddress, Long.valueOf(j));
        }
    }

    protected boolean checkAccess(KNXAddress kNXAddress, int i, SecurityControl securityControl) {
        return true;
    }

    protected int groupObjectSecurity(GroupAddress groupAddress) {
        return this.security.groupKeys().containsKey(groupAddress) ? 3 : 0;
    }

    protected int tpci(KNXAddress kNXAddress) {
        return 0;
    }

    protected void send(KNXAddress kNXAddress, byte[] bArr) throws KNXTimeoutException, KNXLinkClosedException {
        this.link.sendRequestWait(kNXAddress, Priority.SYSTEM, bArr);
    }

    protected final int failureCounter(int i) {
        switch (i) {
            case 1:
                return this.scfErrors.get();
            case 2:
                return this.seqErrors.get();
            case 3:
                return this.cryptoErrors.get();
            case 4:
                return this.accessAndRoleErrors.get();
            default:
                throw new IllegalArgumentException("failure counter error type " + i);
        }
    }

    protected void securityFailure(int i, IntUnaryOperator intUnaryOperator, IndividualAddress individualAddress, KNXAddress kNXAddress, int i2, long j) {
        AtomicInteger[] atomicIntegerArr = {null, this.scfErrors, this.seqErrors, this.cryptoErrors, this.accessAndRoleErrors};
        if (i > 4) {
            throw new IllegalArgumentException("failure counter error type " + i);
        }
        atomicIntegerArr[i].updateAndGet(intUnaryOperator);
    }

    private void securityFailure(int i, IndividualAddress individualAddress, KNXAddress kNXAddress, long j) {
        securityFailure(i, saturatingIncrement, individualAddress, kNXAddress, kNXAddress instanceof GroupAddress ? 128 : 0, j);
    }

    void receivedSyncRequest(IndividualAddress individualAddress, KNXAddress kNXAddress, boolean z, boolean z2, byte[] bArr, long j) {
        long j2 = toLong(bArr);
        long lastValidSequenceNumber = 1 + lastValidSequenceNumber(z, individualAddress);
        String str = z ? "tool " : "";
        if (j2 > lastValidSequenceNumber) {
            updateLastValidSequence(z, individualAddress, j2 - 1);
            lastValidSequenceNumber = j2;
        }
        Logger logger = this.logger;
        Object[] objArr = new Object[7];
        objArr[0] = individualAddress;
        objArr[1] = kNXAddress;
        objArr[2] = z2 ? "SBC " : "";
        objArr[3] = str;
        objArr[4] = Long.valueOf(j2);
        objArr[5] = Long.valueOf(lastValidSequenceNumber);
        objArr[6] = Long.valueOf(j);
        logger.debug("{}->{} {}sync.req with {}seq {} (next {}), challenge {}", objArr);
        this.syncChallenge.set(Long.valueOf(j));
        sendSyncResponse(individualAddress, z2 ? SecurityControl.SystemBroadcast : SecurityControl.of(SecurityControl.DataSecurity.AuthConf, z), kNXAddress.equals(GroupAddress.Broadcast), lastValidSequenceNumber);
    }

    void receivedSyncResponse(IndividualAddress individualAddress, boolean z, byte[] bArr) {
        long j = toLong(Arrays.copyOfRange(bArr, 0, 6));
        long j2 = toLong(Arrays.copyOfRange(bArr, 6, 12));
        if (j - 1 > lastValidSequenceNumber(z, individualAddress)) {
            Logger logger = this.logger;
            Object[] objArr = new Object[3];
            objArr[0] = individualAddress;
            objArr[1] = z ? "tool access" : "p2p";
            objArr[2] = Long.valueOf(j - 1);
            logger.debug("sync.res update {} last valid {} seq -> {}", objArr);
            updateLastValidSequence(z, individualAddress, j - 1);
        }
        if (j2 > nextSequenceNumber(z)) {
            this.logger.debug("sync.res update local next {} seq -> {}", z ? "tool access" : "p2p", Long.valueOf(j2));
            updateSequenceNumber(z, j2);
        }
    }

    private void sendSyncResponse(IndividualAddress individualAddress, SecurityControl securityControl, boolean z, long j) {
        boolean z2 = securityControl.toolAccess();
        ByteBuffer put = ByteBuffer.allocate(12).put(sixBytes(nextSequenceNumber(z2))).put(sixBytes(j));
        KNXAddress kNXAddress = z ? GroupAddress.Broadcast : individualAddress;
        byte[] bArr = secure(3, address(), kNXAddress, put.array(), securityControl, lookupKey(individualAddress, z2)).get();
        this.lastSyncRes = Instant.now();
        ForkJoinPool.commonPool().execute(() -> {
            try {
                send(kNXAddress, bArr);
            } catch (KNXTimeoutException | KNXLinkClosedException e) {
                this.logger.warn("error sending sync.res {}->{}", new Object[]{address(), kNXAddress, e});
            }
        });
    }

    private void syncWith(KNXAddress kNXAddress, boolean z) throws InterruptedException {
        try {
            sendSyncRequest(kNXAddress instanceof GroupAddress ? surrogate((GroupAddress) kNXAddress) : (IndividualAddress) kNXAddress, z).get();
        } catch (ExecutionException e) {
            throw new KnxSecureException("sync.req with " + kNXAddress, e.getCause());
        } catch (KNXException e2) {
            throw new KnxSecureException("sync.req with " + kNXAddress, e2);
        }
    }

    private IndividualAddress surrogate(GroupAddress groupAddress) {
        return this.security.groupSenders().getOrDefault(groupAddress, Set.of()).stream().findAny().orElseThrow(() -> {
            return new KnxSecureException(groupAddress + " does not have a surrogate specified");
        });
    }

    private IndividualAddress address() {
        return this.link.getKNXMedium().getDeviceAddress();
    }

    private Object[] parseSecurityCtrlField(int i, IndividualAddress individualAddress, KNXAddress kNXAddress, long j) {
        SecurityControl of;
        boolean z = (i & 128) == 128;
        int i2 = (i >> 4) & 7;
        if (i2 > 1) {
            securityFailure(1, individualAddress, kNXAddress, j);
            throw new KnxSecureException("unsupported secure algorithm ID " + i2);
        }
        boolean z2 = i2 == 0;
        boolean z3 = (i & 8) == 8;
        int i3 = i & 7;
        if (i3 == 1 || i3 > 3) {
            securityFailure(1, individualAddress, kNXAddress, j);
            throw new KnxSecureException("unsupported secure AL service " + i3);
        }
        if (z3) {
            if (!z) {
                throw new KnxSecureException(String.format("%s->%s system broadcast requires tool access", individualAddress, kNXAddress));
            }
            if (z2) {
                this.logger.warn("auth-only system broadcast not supported");
            }
        }
        if (z3) {
            of = SecurityControl.SystemBroadcast;
        } else {
            of = SecurityControl.of(z2 ? SecurityControl.DataSecurity.Auth : SecurityControl.DataSecurity.AuthConf, z);
        }
        return new Object[]{of, Integer.valueOf(i3)};
    }

    private static int toSecurityCtrlField(int i, SecurityControl securityControl) {
        return i | (securityControl.toolAccess() ? 128 : 0) | (securityControl.security() == SecurityControl.DataSecurity.AuthConf ? 16 : 0) | (securityControl.systemBroadcast() ? 8 : 0);
    }

    private static ByteBuffer sixBytes(long j) {
        return ByteBuffer.allocate(6).putShort((short) (j >> 32)).putInt((int) j).flip();
    }

    private static long toLong(byte[] bArr) {
        long j = 0;
        for (byte b : bArr) {
            j = (j << 8) + (b & 255);
        }
        return j;
    }

    private static byte[] seqOrRand(int i, byte[] bArr) {
        if (i == 3) {
            if (test) {
                return new byte[]{-86, -86, -86, -86, -86, -86};
            }
            rng.nextBytes(bArr);
        }
        return bArr;
    }

    private static byte[] mac(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) throws GeneralSecurityException {
        ByteBuffer allocate = ByteBuffer.allocate(2 + bArr.length);
        allocate.putShort((short) bArr.length);
        allocate.put(bArr);
        return Arrays.copyOfRange(encrypt(Arrays.copyOfRange(aesCbc(allocate.array(), bArr2, bArr3), 0, 4), bArr2, bArr4), 0, 4);
    }

    private static byte[] confMac(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) throws GeneralSecurityException {
        ByteBuffer allocate = ByteBuffer.allocate(2 + bArr.length + bArr2.length);
        allocate.putShort((short) bArr.length);
        allocate.put(bArr);
        allocate.put(bArr2);
        byte[] aesCbc = aesCbc(allocate.array(), bArr3, bArr4);
        return Arrays.copyOfRange(aesCbc, aesCbc.length - 16, (aesCbc.length - 16) + 4);
    }

    private static byte[] aesCbc(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
        cipher.init(1, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(new byte[16]));
        cipher.update(bArr3);
        return cipher.doFinal(Arrays.copyOf(bArr, ((bArr.length + 15) / 16) * 16));
    }

    private static byte[] block0(byte[] bArr, IndividualAddress individualAddress, KNXAddress kNXAddress, int i, int i2, int i3, int i4) {
        return ccmBlock(true, bArr, individualAddress, kNXAddress, i, i2, i3, i4);
    }

    private static byte[] blockCtr0(byte[] bArr, IndividualAddress individualAddress, KNXAddress kNXAddress) {
        return ccmBlock(false, bArr, individualAddress, kNXAddress, 0, 0, 0, 0);
    }

    private static byte[] ccmBlock(boolean z, byte[] bArr, IndividualAddress individualAddress, KNXAddress kNXAddress, int i, int i2, int i3, int i4) {
        ByteBuffer allocate = ByteBuffer.allocate(16);
        allocate.put(bArr);
        allocate.put(individualAddress.toByteArray());
        allocate.put(kNXAddress.toByteArray());
        if (z) {
            allocate.put((byte) 0);
            allocate.put((byte) ((kNXAddress instanceof GroupAddress ? 128 : 0) | (i & 15)));
            allocate.put((byte) i2);
            allocate.put((byte) i3);
            allocate.put((byte) 0);
            allocate.put((byte) i4);
        } else {
            allocate.putInt(0);
            allocate.put((byte) 1);
        }
        return allocate.array();
    }

    private static byte[] encrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
        cipher.init(1, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(bArr3));
        return cipher.doFinal(Arrays.copyOf(bArr, ((bArr.length + 15) / 16) * 16));
    }

    private static byte[] decrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
        cipher.init(2, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(bArr3));
        return cipher.doFinal(bArr);
    }
}
