package tuwien.auto.calimero.knxnetip;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.DatagramPacket;
import java.net.DatagramSocket;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.StandardSocketOptions;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.XECPublicKey;
import java.security.spec.NamedParameterSpec;
import java.security.spec.XECPublicKeySpec;
import java.time.Duration;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CancellationException;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Future;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tuwien.auto.calimero.DataUnitBuilder;
import tuwien.auto.calimero.IndividualAddress;
import tuwien.auto.calimero.KNXException;
import tuwien.auto.calimero.KNXFormatException;
import tuwien.auto.calimero.KNXIllegalArgumentException;
import tuwien.auto.calimero.KNXListener;
import tuwien.auto.calimero.KNXTimeoutException;
import tuwien.auto.calimero.SerialNumber;
import tuwien.auto.calimero.cemi.CEMI;
import tuwien.auto.calimero.knxnetip.Connection;
import tuwien.auto.calimero.knxnetip.KNXnetIPConnection;
import tuwien.auto.calimero.knxnetip.KNXnetIPTunnel;
import tuwien.auto.calimero.knxnetip.servicetype.KNXnetIPHeader;
import tuwien.auto.calimero.knxnetip.servicetype.PacketHelper;
import tuwien.auto.calimero.knxnetip.util.CRI;
import tuwien.auto.calimero.knxnetip.util.HPAI;
import tuwien.auto.calimero.link.medium.KNXMediumSettings;
import tuwien.auto.calimero.log.LogService;
import tuwien.auto.calimero.secure.KnxSecureException;

/* loaded from: input_file:tuwien/auto/calimero/knxnetip/SecureConnection.class */
public final class SecureConnection extends KNXnetIPRouting {
    private static final int SecureSvc = 2384;
    private static final int SecureSessionResponse = 2386;
    private static final int SecureSessionAuth = 2387;
    private static final int SecureSessionStatus = 2388;
    private static final int SecureGroupSync = 2389;
    private static final int macSize = 16;
    private static final int keyLength = 32;
    private final SerialNumber sno;
    private Key secretKey;
    private int sessionId;
    private Connection.SecureSession session;
    private PrivateKey privateKey;
    private final byte[] publicKey;
    private static final int sessionSetupTimeout = 10000;
    private static final int SessionSetup = -1;
    private volatile int sessionStatus;
    private DatagramSocket localSocket;
    private ReceiverLoop setupLoop;
    private final KNXnetIPConnection tunnel;
    private final int mcastLatencyTolerance;
    private final int syncLatencyTolerance;
    private final AtomicInteger routingCount;
    private long timestampOffset;
    private volatile boolean syncedWithGroup;
    private volatile int sentGroupSyncTag;
    private static final int syncQueryInterval = 10000;
    private static final int minDelayTimeKeeperUpdateNotify = 100;
    private int minDelayUpdateNotify;
    private int maxDelayUpdateNotify;
    private int minDelayPeriodicNotify;
    private int maxDelayPeriodicNotify;
    private volatile boolean periodicSchedule;
    private SerialNumber timerNotifySN;
    private int timerNotifyTag;
    private Future<?> groupSync;
    static final String secureSymbol = new String(Character.toChars(128274));
    private static final ScheduledThreadPoolExecutor groupSyncSender = new ScheduledThreadPoolExecutor(1, runnable -> {
        Thread thread = new Thread(runnable);
        thread.setName("KNX/IP secure group sync");
        thread.setDaemon(true);
        return thread;
    });

    public static KNXnetIPConnection newTunneling(KNXnetIPTunnel.TunnelingLayer tunnelingLayer, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, boolean z, byte[] bArr, int i, byte[] bArr2) throws KNXException, InterruptedException {
        return new SecureConnection(tunnelingLayer, inetSocketAddress, inetSocketAddress2, z, bArr.length == 0 ? new byte[16] : bArr, i, bArr2, KNXMediumSettings.BackboneRouter);
    }

    public static KNXnetIPConnection newTunneling(KNXnetIPTunnel.TunnelingLayer tunnelingLayer, final Connection.SecureSession secureSession, IndividualAddress individualAddress) throws KNXException, InterruptedException {
        secureSession.ensureOpen();
        return new KNXnetIPTunnel(tunnelingLayer, secureSession.connection(), individualAddress) { // from class: tuwien.auto.calimero.knxnetip.SecureConnection.1
            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPTunnel, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
            public String getName() {
                return "KNX IP " + SecureConnection.secureSymbol + " Tunneling " + Net.hostPort(this.ctrlEndpt);
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection
            protected void connect(Connection connection, CRI cri) throws KNXException, InterruptedException {
                secureSession.registerConnectRequest(this);
                try {
                    super.connect(connection.localEndpoint(), connection.server(), cri, false);
                } finally {
                    secureSession.unregisterConnectRequest(this);
                }
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            protected void send(byte[] bArr, InetSocketAddress inetSocketAddress) throws IOException {
                super.send(SecureConnection.newSecurePacket(secureSession.id(), secureSession.nextSendSeq(), secureSession.serialNumber(), 0, bArr, secureSession.secretKey), inetSocketAddress);
            }
        };
    }

    public static KNXnetIPConnection newRouting(NetworkInterface networkInterface, InetAddress inetAddress, byte[] bArr, Duration duration) throws KNXException {
        return new SecureConnection(networkInterface, inetAddress, bArr, duration);
    }

    public static KNXnetIPConnection newDeviceManagement(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, boolean z, byte[] bArr, byte[] bArr2) throws KNXException, InterruptedException {
        return new SecureConnection(inetSocketAddress, inetSocketAddress2, z, bArr.length == 0 ? new byte[16] : bArr, bArr2);
    }

    public static KNXnetIPConnection newDeviceManagement(final Connection.SecureSession secureSession) throws KNXException, InterruptedException {
        secureSession.ensureOpen();
        return new KNXnetIPDevMgmt(secureSession.connection()) { // from class: tuwien.auto.calimero.knxnetip.SecureConnection.2
            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPDevMgmt, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
            public String getName() {
                return "KNX IP " + SecureConnection.secureSymbol + " Management " + Net.hostPort(this.ctrlEndpt);
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection
            protected void connect(Connection connection, CRI cri) throws KNXException, InterruptedException {
                secureSession.registerConnectRequest(this);
                try {
                    super.connect(connection.localEndpoint(), connection.server(), cri, false);
                } finally {
                    secureSession.unregisterConnectRequest(this);
                }
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            protected void send(byte[] bArr, InetSocketAddress inetSocketAddress) throws IOException {
                super.send(SecureConnection.newSecurePacket(secureSession.id(), secureSession.nextSendSeq(), secureSession.serialNumber(), 0, bArr, secureSession.secretKey), inetSocketAddress);
            }
        };
    }

    public static byte[] hashUserPassword(char[] cArr) {
        return pbkdf2WithHmacSha256(cArr, "user-password.1.secure.ip.knx.org".getBytes(StandardCharsets.US_ASCII));
    }

    public static byte[] hashDeviceAuthenticationPassword(char[] cArr) {
        return pbkdf2WithHmacSha256(cArr, "device-authentication-code.1.secure.ip.knx.org".getBytes(StandardCharsets.US_ASCII));
    }

    @Deprecated(forRemoval = true)
    public static byte[] hashDeviceAuthenticationCode(char[] cArr) {
        return pbkdf2WithHmacSha256(cArr, "device-authentication-code.1.secure.ip.knx.org".getBytes(StandardCharsets.US_ASCII));
    }

    private static byte[] pbkdf2WithHmacSha256(char[] cArr, byte[] bArr) {
        for (int i = 0; i < cArr.length; i++) {
            char c = cArr[i];
            if (c < ' ' || c > '~') {
                cArr[i] = '?';
            }
        }
        try {
            try {
                byte[] encoded = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(new PBEKeySpec(cArr, bArr, 65536, 128)).getEncoded();
                Arrays.fill(cArr, (char) 0);
                return encoded;
            } catch (GeneralSecurityException e) {
                throw new KnxSecureException("PBKDF2WithHmacSHA256", e);
            }
        } catch (Throwable th) {
            Arrays.fill(cArr, (char) 0);
            throw th;
        }
    }

    private SecureConnection(NetworkInterface networkInterface, InetAddress inetAddress, byte[] bArr, Duration duration) throws KNXException {
        super(inetAddress);
        this.publicKey = new byte[32];
        this.sessionStatus = -1;
        this.routingCount = new AtomicInteger();
        this.timestampOffset = (-System.nanoTime()) / 1000000;
        this.periodicSchedule = true;
        this.groupSync = CompletableFuture.completedFuture(Void.TYPE);
        this.sno = deriveSerialNumber(networkInterface);
        this.secretKey = createSecretKey(bArr);
        this.mcastLatencyTolerance = (int) duration.toMillis();
        this.syncLatencyTolerance = this.mcastLatencyTolerance / 10;
        init(networkInterface, true, true);
        scheduleGroupSync(0L);
        try {
            awaitGroupSync();
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
        this.tunnel = null;
    }

    private SecureConnection(KNXnetIPTunnel.TunnelingLayer tunnelingLayer, InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, boolean z, byte[] bArr, int i, byte[] bArr2, IndividualAddress individualAddress) throws KNXException, InterruptedException {
        super(DefaultMulticast);
        InetAddress inetAddress;
        this.publicKey = new byte[32];
        this.sessionStatus = -1;
        this.routingCount = new AtomicInteger();
        this.timestampOffset = (-System.nanoTime()) / 1000000;
        this.periodicSchedule = true;
        this.groupSync = CompletableFuture.completedFuture(Void.TYPE);
        InetSocketAddress inetSocketAddress3 = inetSocketAddress;
        if (inetSocketAddress3.isUnresolved()) {
            throw new KNXIllegalArgumentException("unresolved address " + inetSocketAddress3);
        }
        if (inetSocketAddress3.getAddress().isAnyLocalAddress()) {
            if (z) {
                inetAddress = null;
            } else {
                try {
                    inetAddress = (InetAddress) Optional.ofNullable(inetSocketAddress2.getAddress()).flatMap(Net::onSameSubnet).orElse(InetAddress.getLocalHost());
                } catch (UnknownHostException e) {
                    throw new KNXException("no local host address available", e);
                }
            }
            inetSocketAddress3 = new InetSocketAddress(inetAddress, inetSocketAddress.getPort());
        }
        this.session = Connection.Udp.newSecureSession(i, bArr2, bArr);
        this.sno = this.session.serialNumber();
        setupSecureSession(inetSocketAddress3, inetSocketAddress2);
        this.tunnel = new KNXnetIPTunnel(tunnelingLayer, inetSocketAddress, inetSocketAddress2, z, individualAddress) { // from class: tuwien.auto.calimero.knxnetip.SecureConnection.3
            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPTunnel, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
            public String getName() {
                return "KNX/IP " + SecureConnection.secureSymbol + " Tunneling " + Net.hostPort(this.ctrlEndpt);
            }

            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPTunnel, tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            protected boolean handleServiceType(KNXnetIPHeader kNXnetIPHeader, byte[] bArr3, int i2, InetAddress inetAddress2, int i3) throws KNXFormatException, IOException {
                int serviceType = kNXnetIPHeader.getServiceType();
                if (!kNXnetIPHeader.isSecure()) {
                    this.logger.trace("received insecure service type 0x{} - ignore", Integer.toHexString(serviceType));
                    return true;
                }
                if (serviceType != 2384) {
                    this.logger.warn("received unsupported secure service type 0x{} - ignore", Integer.toHexString(serviceType));
                    return true;
                }
                byte[] bArr4 = (byte[]) SecureConnection.this.unwrap(kNXnetIPHeader, bArr3, i2)[4];
                KNXnetIPHeader kNXnetIPHeader2 = new KNXnetIPHeader(bArr4, 0);
                if (kNXnetIPHeader2.getServiceType() != SecureConnection.SecureSessionStatus) {
                    return super.handleServiceType(kNXnetIPHeader2, bArr4, kNXnetIPHeader2.getStructLength(), inetAddress2, i3);
                }
                int newChannelStatus = SecureConnection.newChannelStatus(kNXnetIPHeader2, bArr4, kNXnetIPHeader2.getStructLength());
                LogService.log(this.logger, newChannelStatus == 0 ? LogService.LogLevel.TRACE : LogService.LogLevel.ERROR, "{}", SecureConnection.this.session);
                SecureConnection.this.setupLoop.quit();
                SecureConnection.this.sessionStatus = newChannelStatus;
                if (newChannelStatus != 0) {
                    throw new KnxSecureException("secure session " + SecureConnection.statusMsg(newChannelStatus));
                }
                return true;
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            protected void send(byte[] bArr3, InetSocketAddress inetSocketAddress4) throws IOException {
                super.send(SecureConnection.this.newSecurePacket(SecureConnection.this.session.nextSendSeq(), 0, bArr3), inetSocketAddress4);
            }
        };
        this.mcastLatencyTolerance = 0;
        this.syncLatencyTolerance = 0;
    }

    private SecureConnection(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, boolean z, byte[] bArr, byte[] bArr2) throws KNXException, InterruptedException {
        super(DefaultMulticast);
        InetAddress inetAddress;
        this.publicKey = new byte[32];
        this.sessionStatus = -1;
        this.routingCount = new AtomicInteger();
        this.timestampOffset = (-System.nanoTime()) / 1000000;
        this.periodicSchedule = true;
        this.groupSync = CompletableFuture.completedFuture(Void.TYPE);
        InetSocketAddress inetSocketAddress3 = inetSocketAddress;
        if (inetSocketAddress3.isUnresolved()) {
            throw new KNXIllegalArgumentException("unresolved address " + inetSocketAddress3);
        }
        if (inetSocketAddress3.getAddress().isAnyLocalAddress()) {
            if (z) {
                inetAddress = null;
            } else {
                try {
                    inetAddress = (InetAddress) Optional.ofNullable(inetSocketAddress2.getAddress()).flatMap(Net::onSameSubnet).orElse(InetAddress.getLocalHost());
                } catch (UnknownHostException e) {
                    throw new KNXException("no local host address available", e);
                }
            }
            inetSocketAddress3 = new InetSocketAddress(inetAddress, inetSocketAddress.getPort());
        }
        this.session = Connection.Udp.newSecureSession(1, bArr2, bArr);
        this.sno = this.session.serialNumber();
        setupSecureSession(inetSocketAddress3, inetSocketAddress2);
        this.tunnel = new KNXnetIPDevMgmt(inetSocketAddress, inetSocketAddress2, z) { // from class: tuwien.auto.calimero.knxnetip.SecureConnection.4
            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPDevMgmt, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
            public String getName() {
                return "KNX/IP " + SecureConnection.secureSymbol + " Management " + Net.hostPort(this.ctrlEndpt);
            }

            @Override // tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            protected void send(byte[] bArr3, InetSocketAddress inetSocketAddress4) throws IOException {
                super.send(SecureConnection.this.newSecurePacket(SecureConnection.this.session.nextSendSeq(), 0, bArr3), inetSocketAddress4);
            }

            /* JADX INFO: Access modifiers changed from: protected */
            @Override // tuwien.auto.calimero.knxnetip.KNXnetIPDevMgmt, tuwien.auto.calimero.knxnetip.ClientConnection, tuwien.auto.calimero.knxnetip.ConnectionBase
            public boolean handleServiceType(KNXnetIPHeader kNXnetIPHeader, byte[] bArr3, int i, InetAddress inetAddress2, int i2) throws KNXFormatException, IOException {
                int serviceType = kNXnetIPHeader.getServiceType();
                if (!kNXnetIPHeader.isSecure()) {
                    this.logger.trace("received insecure service type 0x{} - ignore", Integer.toHexString(serviceType));
                    return true;
                }
                if (serviceType != 2384) {
                    this.logger.warn("received unsupported secure service type 0x{} - ignore", Integer.toHexString(serviceType));
                    return true;
                }
                byte[] bArr4 = (byte[]) SecureConnection.this.unwrap(kNXnetIPHeader, bArr3, i)[4];
                KNXnetIPHeader kNXnetIPHeader2 = new KNXnetIPHeader(bArr4, 0);
                if (kNXnetIPHeader2.getServiceType() != SecureConnection.SecureSessionStatus) {
                    return super.handleServiceType(kNXnetIPHeader2, bArr4, kNXnetIPHeader2.getStructLength(), inetAddress2, i2);
                }
                int newChannelStatus = SecureConnection.newChannelStatus(kNXnetIPHeader2, bArr4, kNXnetIPHeader2.getStructLength());
                LogService.log(this.logger, newChannelStatus == 0 ? LogService.LogLevel.TRACE : LogService.LogLevel.ERROR, "{}", SecureConnection.this.session);
                SecureConnection.this.setupLoop.quit();
                SecureConnection.this.sessionStatus = newChannelStatus;
                if (newChannelStatus != 0) {
                    throw new KnxSecureException("secure session " + SecureConnection.statusMsg(newChannelStatus));
                }
                return true;
            }
        };
        this.mcastLatencyTolerance = 0;
        this.syncLatencyTolerance = 0;
    }

    private static SerialNumber deriveSerialNumber(NetworkInterface networkInterface) {
        if (networkInterface != null) {
            try {
                byte[] hardwareAddress = networkInterface.getHardwareAddress();
                if (hardwareAddress != null) {
                    return SerialNumber.from(Arrays.copyOf(hardwareAddress, 6));
                }
            } catch (SocketException e) {
            }
        }
        return SerialNumber.Zero;
    }

    @Override // tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
    public void addConnectionListener(KNXListener kNXListener) {
        if (this.tunnel != null) {
            this.tunnel.addConnectionListener(kNXListener);
        } else {
            super.addConnectionListener(kNXListener);
        }
    }

    @Override // tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
    public void removeConnectionListener(KNXListener kNXListener) {
        if (this.tunnel != null) {
            this.tunnel.addConnectionListener(kNXListener);
        } else {
            super.removeConnectionListener(kNXListener);
        }
    }

    @Override // tuwien.auto.calimero.knxnetip.KNXnetIPRouting, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
    public void send(CEMI cemi, KNXnetIPConnection.BlockingMode blockingMode) throws KNXConnectionClosedException {
        if (this.tunnel == null) {
            super.send(cemi, blockingMode);
            return;
        }
        try {
            this.tunnel.send(cemi, blockingMode);
        } catch (InterruptedException | KNXTimeoutException e) {
            if (this.tunnel.getState() == 1) {
                throw new KNXConnectionClosedException(e.getMessage());
            }
            this.logger.error("tunneling error", e);
        }
    }

    @Override // tuwien.auto.calimero.knxnetip.KNXnetIPRouting, tuwien.auto.calimero.knxnetip.ConnectionBase, tuwien.auto.calimero.knxnetip.KNXnetIPConnection
    public String getName() {
        return this.tunnel != null ? this.tunnel.getName() : "KNX/IP " + secureSymbol + " Routing " + this.ctrlEndpt.getAddress().getHostAddress();
    }

    @Override // tuwien.auto.calimero.knxnetip.ConnectionBase
    public String toString() {
        return getName();
    }

    @Override // tuwien.auto.calimero.knxnetip.KNXnetIPRouting, tuwien.auto.calimero.knxnetip.ConnectionBase
    protected void send(byte[] bArr, InetSocketAddress inetSocketAddress) throws IOException {
        channel().send(ByteBuffer.wrap(newSecurePacket(timestamp(), this.routingCount.getAndIncrement() % 65536, bArr)), inetSocketAddress);
        scheduleGroupSync(periodicNotifyDelay());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // tuwien.auto.calimero.knxnetip.KNXnetIPRouting, tuwien.auto.calimero.knxnetip.ConnectionBase
    public boolean handleServiceType(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i, InetAddress inetAddress, int i2) throws KNXFormatException, IOException {
        int serviceType = kNXnetIPHeader.getServiceType();
        if (!kNXnetIPHeader.isSecure()) {
            this.logger.trace("received insecure service type 0x{} - ignore", Integer.toHexString(serviceType));
            return true;
        }
        InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, i2);
        if (serviceType == SecureSessionResponse) {
            try {
                byte[] newSecurePacket = newSecurePacket(this.session.nextSendSeq(), 0, newSessionAuth((byte[]) newSessionResponse(kNXnetIPHeader, bArr, i, inetSocketAddress)[1]));
                this.logger.debug("secure session {}, request access for user {}", Integer.valueOf(this.sessionId), Integer.valueOf(this.session.user()));
                if (this.localSocket != null) {
                    this.localSocket.send(new DatagramPacket(newSecurePacket, newSecurePacket.length, inetSocketAddress));
                } else {
                    this.session.connection().send(newSecurePacket);
                }
                return true;
            } catch (RuntimeException e) {
                this.sessionStatus = 1;
                this.setupLoop.quit();
                this.logger.error("negotiating session key failed", e);
                return true;
            }
        }
        if (serviceType == SecureGroupSync) {
            try {
                Object[] newGroupSync = newGroupSync(kNXnetIPHeader, bArr, i);
                onGroupSync(inetAddress, ((Long) newGroupSync[0]).longValue(), true, (SerialNumber) newGroupSync[1], ((Integer) newGroupSync[2]).intValue());
                return true;
            } catch (KnxSecureException e2) {
                this.logger.debug("group sync {}", e2.getMessage());
                return true;
            }
        }
        if (serviceType != 2384) {
            this.logger.warn("received unsupported secure service type 0x{} - ignore", Integer.toHexString(serviceType));
            return true;
        }
        Object[] unwrap = unwrap(kNXnetIPHeader, bArr, i);
        long longValue = ((Long) unwrap[1]).longValue();
        if (this.sessionId == 0 && !withinTolerance(inetAddress, longValue, (SerialNumber) unwrap[2], ((Integer) unwrap[3]).intValue())) {
            this.logger.warn("{} timestamp {} outside latency tolerance of {} ms (local {}) - ignore", new Object[]{Net.hostPort(inetSocketAddress), Long.valueOf(longValue), Integer.valueOf(this.mcastLatencyTolerance), Long.valueOf(timestamp())});
            return true;
        }
        byte[] bArr2 = (byte[]) unwrap[4];
        KNXnetIPHeader kNXnetIPHeader2 = new KNXnetIPHeader(bArr2, 0);
        if (kNXnetIPHeader2.getServiceType() != SecureSessionStatus) {
            return super.handleServiceType(kNXnetIPHeader2, bArr2, kNXnetIPHeader2.getStructLength(), inetAddress, i2);
        }
        int newChannelStatus = newChannelStatus(kNXnetIPHeader2, bArr2, kNXnetIPHeader2.getStructLength());
        LogService.log(this.logger, newChannelStatus == 0 ? LogService.LogLevel.DEBUG : LogService.LogLevel.ERROR, "{}", this.session);
        this.setupLoop.quit();
        this.sessionStatus = newChannelStatus;
        if (newChannelStatus != 0) {
            throw new KnxSecureException("secure session " + statusMsg(newChannelStatus));
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // tuwien.auto.calimero.knxnetip.KNXnetIPRouting, tuwien.auto.calimero.knxnetip.ConnectionBase
    public void close(int i, String str, LogService.LogLevel logLevel, Throwable th) {
        if (this.tunnel != null) {
            this.tunnel.close();
        } else {
            this.groupSync.cancel(true);
            super.close(i, str, logLevel, th);
        }
    }

    private void setupSecureSession(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2) throws KNXException {
        this.logger = LoggerFactory.getLogger("calimero.knxnetip.KNX/IP " + secureSymbol + " Session " + Net.hostPort(inetSocketAddress2));
        this.logger.debug("setup secure session with {}", inetSocketAddress2);
        try {
            KeyPair generateKeyPair = generateKeyPair();
            this.privateKey = generateKeyPair.getPrivate();
            byte[] byteArray = ((XECPublicKey) generateKeyPair.getPublic()).getU().toByteArray();
            reverse(byteArray);
            System.arraycopy(byteArray, 0, this.publicKey, 0, byteArray.length);
            try {
                try {
                    DatagramSocket datagramSocket = new DatagramSocket(inetSocketAddress);
                    try {
                        this.localSocket = datagramSocket;
                        byte[] newChannelRequest = PacketHelper.newChannelRequest(new HPAI(1, this.useNat ? null : (InetSocketAddress) datagramSocket.getLocalSocketAddress()), this.publicKey);
                        datagramSocket.send(new DatagramPacket(newChannelRequest, newChannelRequest.length, inetSocketAddress2));
                        this.setupLoop = new ReceiverLoop(this, datagramSocket, 512, 0, 10000);
                        this.setupLoop.run();
                        if (this.sessionStatus == -1) {
                            throw new KNXTimeoutException("timeout establishing secure session with " + inetSocketAddress2);
                        }
                        if (this.sessionStatus != 0) {
                            throw new KnxSecureException("secure session " + statusMsg(this.sessionStatus));
                        }
                        datagramSocket.close();
                    } catch (Throwable th) {
                        try {
                            datagramSocket.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } finally {
                    Arrays.fill(this.publicKey, (byte) 0);
                }
            } catch (IOException e) {
                throw new KNXException("I/O error establishing secure session with " + inetSocketAddress2, e);
            }
        } catch (Throwable th3) {
            throw new KnxSecureException("error creating secure key pair for " + inetSocketAddress2, th3);
        }
    }

    private boolean withinTolerance(InetAddress inetAddress, long j, SerialNumber serialNumber, int i) {
        onGroupSync(inetAddress, j, false, serialNumber, i);
        return timestamp() - j <= ((long) this.mcastLatencyTolerance);
    }

    private void onGroupSync(InetAddress inetAddress, long j, boolean z, SerialNumber serialNumber, int i) {
        long timestamp = timestamp();
        if (j > timestamp) {
            this.logger.debug("sync timestamp +{} ms", Long.valueOf(j - timestamp));
            this.timestampOffset += j - timestamp;
            syncedWithGroup(z, serialNumber, i);
        } else {
            if (j > timestamp - this.syncLatencyTolerance) {
                if (i == this.sentGroupSyncTag && isLocalIpAddress(inetAddress)) {
                    return;
                }
                syncedWithGroup(z, serialNumber, i);
                return;
            }
            if (j > timestamp - this.mcastLatencyTolerance || !this.periodicSchedule) {
                return;
            }
            this.timerNotifySN = serialNumber;
            this.timerNotifyTag = i;
            this.periodicSchedule = false;
            scheduleGroupSync(randomClosedRange(this.minDelayUpdateNotify, this.maxDelayUpdateNotify));
        }
    }

    private synchronized void becomeTimeFollower() {
        int i = minDelayTimeKeeperUpdateNotify + (1 * this.syncLatencyTolerance);
        int i2 = 10000 + (3 * this.syncLatencyTolerance);
        int i3 = i + (1 * this.syncLatencyTolerance);
        int i4 = i3 + (10 * this.syncLatencyTolerance);
        int i5 = i2 + (1 * this.syncLatencyTolerance);
        int i6 = i5 + (10 * this.syncLatencyTolerance);
        this.minDelayUpdateNotify = i3;
        this.maxDelayUpdateNotify = i4;
        this.minDelayPeriodicNotify = i5;
        this.maxDelayPeriodicNotify = i6;
    }

    private synchronized void becomeTimeKeeper() {
        int i = minDelayTimeKeeperUpdateNotify + (1 * this.syncLatencyTolerance);
        int i2 = 10000 + (3 * this.syncLatencyTolerance);
        this.minDelayUpdateNotify = minDelayTimeKeeperUpdateNotify;
        this.maxDelayUpdateNotify = i;
        this.minDelayPeriodicNotify = 10000;
        this.maxDelayPeriodicNotify = i2;
    }

    private void syncedWithGroup(boolean z, SerialNumber serialNumber, int i) {
        if (z) {
            becomeTimeFollower();
        }
        scheduleGroupSync(periodicNotifyDelay());
        if (!this.syncedWithGroup && i == this.sentGroupSyncTag && this.sno.equals(serialNumber)) {
            this.logger.info("synchronized with group {}", getRemoteAddress().getAddress().getHostAddress());
            this.syncedWithGroup = true;
            synchronized (this) {
                notifyAll();
            }
        }
    }

    private void awaitGroupSync() throws InterruptedException {
        long j;
        long j2 = (2 * this.mcastLatencyTolerance) + minDelayTimeKeeperUpdateNotify + (12 * this.syncLatencyTolerance);
        long nanoTime = (System.nanoTime() / 1000000) + j2;
        long j3 = j2;
        while (true) {
            j = j3;
            if (j <= 0 || this.syncedWithGroup) {
                break;
            }
            synchronized (this) {
                wait(j);
            }
            j3 = nanoTime - (System.nanoTime() / 1000000);
        }
        this.syncedWithGroup = true;
        this.logger.trace("waited {} ms for group sync", Long.valueOf(j2 - j));
    }

    private boolean isLocalIpAddress(InetAddress inetAddress) {
        Stream empty = Stream.empty();
        if (inetAddress.equals(((InetSocketAddress) channel().getLocalAddress()).getAddress())) {
            return true;
        }
        NetworkInterface networkInterface = (NetworkInterface) channel().getOption(StandardSocketOptions.IP_MULTICAST_IF);
        empty = networkInterface == null || networkInterface.getInetAddresses().nextElement().isAnyLocalAddress() ? NetworkInterface.networkInterfaces() : Stream.of(networkInterface);
        Stream flatMap = empty.flatMap(networkInterface2 -> {
            return networkInterface2.inetAddresses();
        });
        Objects.requireNonNull(inetAddress);
        return flatMap.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    private void scheduleGroupSync(long j) {
        this.logger.trace("schedule group sync (initial delay {} ms)", Long.valueOf(j));
        this.groupSync.cancel(true);
        this.groupSync = groupSyncSender.scheduleWithFixedDelay(this::sendGroupSync, j, 10000L, TimeUnit.MILLISECONDS);
    }

    private void sendGroupSync() {
        try {
            long timestamp = timestamp();
            byte[] newGroupSync = newGroupSync(timestamp);
            Logger logger = this.logger;
            Object[] objArr = new Object[3];
            objArr[0] = Long.valueOf(timestamp);
            objArr[1] = this.periodicSchedule ? this.sno : this.timerNotifySN;
            objArr[2] = Integer.valueOf(this.periodicSchedule ? this.sentGroupSyncTag : this.timerNotifyTag);
            logger.debug("sending group sync timestamp {} ms (S/N {}, tag {})", objArr);
            becomeTimeKeeper();
            scheduleGroupSync(periodicNotifyDelay());
            channel().send(ByteBuffer.wrap(newGroupSync), this.dataEndpt);
        } catch (IOException | RuntimeException e) {
            if (channel().isOpen()) {
                this.logger.warn("sending group sync failed", e);
            } else {
                this.groupSync.cancel(true);
                throw new CancellationException("stop group sync for " + this);
            }
        }
    }

    private long timestamp() {
        return (System.nanoTime() / 1000000) + this.timestampOffset;
    }

    private synchronized int periodicNotifyDelay() {
        this.periodicSchedule = true;
        return randomClosedRange(this.minDelayPeriodicNotify, this.maxDelayPeriodicNotify);
    }

    private static int randomClosedRange(int i, int i2) {
        return ThreadLocalRandom.current().nextInt(i, i2 + 1);
    }

    private byte[] newSecurePacket(long j, int i, byte[] bArr) {
        if (j < 0 || j > 281474976710655L) {
            throw new KNXIllegalArgumentException("sequence / group counter " + j + " out of range [0..0xffffffffffff]");
        }
        if (i < 0 || i > 65535) {
            throw new KNXIllegalArgumentException("message tag " + i + " out of range [0..0xffff]");
        }
        KNXnetIPHeader kNXnetIPHeader = new KNXnetIPHeader(2384, 16 + bArr.length + 16);
        ByteBuffer allocate = ByteBuffer.allocate(kNXnetIPHeader.getTotalLength());
        allocate.put(kNXnetIPHeader.toByteArray());
        allocate.putShort((short) this.sessionId);
        allocate.putShort((short) (j >> 32));
        allocate.putInt((int) j);
        allocate.put(this.sno.array());
        allocate.putShort((short) i);
        allocate.put(bArr);
        allocate.put(cbcMac(allocate.array(), 0, allocate.position(), securityInfo(allocate.array(), kNXnetIPHeader.getStructLength() + 2, bArr.length)));
        encrypt(allocate.array(), kNXnetIPHeader.getStructLength() + 2 + 6 + 6 + 2, securityInfo(allocate.array(), 8, 65280));
        return allocate.array();
    }

    public static byte[] newSecurePacket(long j, long j2, SerialNumber serialNumber, int i, byte[] bArr, Key key) {
        if (j2 < 0 || j2 > 281474976710655L) {
            throw new KNXIllegalArgumentException("sequence / group counter " + j2 + " out of range [0..0xffffffffffff]");
        }
        if (i < 0 || i > 65535) {
            throw new KNXIllegalArgumentException("message tag " + i + " out of range [0..0xffff]");
        }
        KNXnetIPHeader kNXnetIPHeader = new KNXnetIPHeader(2384, 16 + bArr.length + 16);
        ByteBuffer allocate = ByteBuffer.allocate(kNXnetIPHeader.getTotalLength());
        allocate.put(kNXnetIPHeader.toByteArray());
        allocate.putShort((short) j);
        allocate.putShort((short) (j2 >> 32));
        allocate.putInt((int) j2);
        allocate.put(serialNumber.array());
        allocate.putShort((short) i);
        allocate.put(bArr);
        allocate.put(cbcMac(allocate.array(), 0, allocate.position(), key, securityInfo(allocate.array(), kNXnetIPHeader.getStructLength() + 2, bArr.length)));
        encrypt(allocate.array(), kNXnetIPHeader.getStructLength() + 2 + 6 + 6 + 2, key, securityInfo(allocate.array(), 8, 65280));
        return allocate.array();
    }

    private Object[] unwrap(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i) throws KNXFormatException {
        Object[] unwrap = unwrap(kNXnetIPHeader, bArr, i, this.secretKey);
        int intValue = ((Integer) unwrap[0]).intValue();
        if (intValue != this.sessionId) {
            throw new KnxSecureException("secure session mismatch: received ID " + intValue + ", expected " + this.sessionId);
        }
        long longValue = ((Long) unwrap[1]).longValue();
        if (this.sessionId != 0 && longValue < this.session.nextReceiveSeq()) {
            KnxSecureException knxSecureException = new KnxSecureException("received secure packet with sequence " + longValue + " < expected " + knxSecureException);
            throw knxSecureException;
        }
        SerialNumber serialNumber = (SerialNumber) unwrap[2];
        int intValue2 = ((Integer) unwrap[3]).intValue();
        this.logger.trace("received {} (session {} seq {} S/N {} tag {})", new Object[]{DataUnitBuilder.toHex((byte[]) unwrap[4], " "), Integer.valueOf(intValue), Long.valueOf(longValue), serialNumber, Integer.valueOf(intValue2)});
        return new Object[]{unwrap[0], unwrap[1], serialNumber, unwrap[3], unwrap[4]};
    }

    public static Object[] unwrap(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i, Key key) throws KNXFormatException {
        if ((kNXnetIPHeader.getServiceType() & 2384) != 2384) {
            throw new KNXIllegalArgumentException("not a secure service type");
        }
        int totalLength = kNXnetIPHeader.getTotalLength();
        int structLength = kNXnetIPHeader.getStructLength();
        int i2 = structLength + 2 + 6 + 6 + 2 + structLength + 16;
        if (totalLength < i2) {
            throw new KNXFormatException("secure packet length < required minimum length " + i2, totalLength);
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr, i, totalLength - structLength);
        int i3 = wrap.getShort() & 65535;
        long uint48 = uint48(wrap);
        SerialNumber of = SerialNumber.of(uint48(wrap));
        int i4 = wrap.getShort() & 65535;
        ByteBuffer decrypt = decrypt(wrap, key, securityInfo(bArr, i + 2, 65280));
        byte[] bArr2 = new byte[(totalLength - i2) + structLength];
        decrypt.get(bArr2);
        byte[] bArr3 = new byte[16];
        decrypt.get(bArr3);
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i - structLength, (i - structLength) + totalLength);
        System.arraycopy(bArr2, 0, copyOfRange, structLength + 2 + 6 + 6 + 2, bArr2.length);
        cbcMacVerify(copyOfRange, 0, totalLength - 16, key, securityInfo(bArr, i + 2, bArr2.length), bArr3);
        return new Object[]{Integer.valueOf(i3), Long.valueOf(uint48), of, Integer.valueOf(i4), bArr2};
    }

    private Object[] newSessionResponse(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i, InetSocketAddress inetSocketAddress) throws KNXFormatException {
        if (kNXnetIPHeader.getServiceType() != SecureSessionResponse) {
            throw new IllegalArgumentException("no secure channel response");
        }
        if (kNXnetIPHeader.getTotalLength() != 56 && kNXnetIPHeader.getTotalLength() != 8) {
            throw new KNXFormatException("invalid length " + bArr.length + " for a secure channel response");
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr, i, kNXnetIPHeader.getTotalLength() - kNXnetIPHeader.getStructLength());
        this.sessionId = wrap.getShort() & 65535;
        if (this.sessionId == 0) {
            throw new KnxSecureException("no more free secure channels / remote endpoint busy");
        }
        byte[] bArr2 = new byte[32];
        wrap.get(bArr2);
        this.secretKey = createSecretKey(sessionKey(keyAgreement(this.privateKey, bArr2)));
        if (Arrays.equals(this.session.deviceAuthKey().getEncoded(), new byte[16])) {
            this.logger.warn("skipping device authentication of {} (no device key)", Net.hostPort(inetSocketAddress));
        } else {
            ByteBuffer decrypt = decrypt(wrap, this.session.deviceAuthKey(), securityInfo(new byte[16], 0, 65280));
            int structLength = kNXnetIPHeader.getStructLength() + 2 + 32;
            ByteBuffer allocate = ByteBuffer.allocate(18 + structLength);
            allocate.put(new byte[16]);
            allocate.put((byte) 0);
            allocate.put((byte) structLength);
            allocate.put(kNXnetIPHeader.toByteArray());
            allocate.putShort((short) this.sessionId);
            allocate.put(xor(bArr2, 0, this.publicKey, 0, 32));
            if (!Arrays.equals(decrypt.array(), cbcMacSimple(this.session.deviceAuthKey(), allocate.array(), 0, allocate.capacity()))) {
                throw new KnxSecureException("authentication failed for session response " + DataUnitBuilder.toHex(Arrays.copyOfRange(bArr, i - 6, (i - 6) + 56), " "));
            }
        }
        return new Object[]{Integer.valueOf(this.sessionId), bArr2};
    }

    private byte[] newSessionAuth(byte[] bArr) {
        KNXnetIPHeader kNXnetIPHeader = new KNXnetIPHeader(SecureSessionAuth, 18);
        ByteBuffer allocate = ByteBuffer.allocate(kNXnetIPHeader.getTotalLength());
        allocate.put(kNXnetIPHeader.toByteArray());
        allocate.putShort((short) this.session.user());
        ByteBuffer allocate2 = ByteBuffer.allocate(58);
        allocate2.put(new byte[16]);
        allocate2.put((byte) 0);
        allocate2.put((byte) 40);
        allocate2.put(allocate.array(), 0, allocate.position());
        allocate2.put(xor(bArr, 0, this.publicKey, 0, 32));
        byte[] cbcMacSimple = cbcMacSimple(this.session.userKey(), allocate2.array(), 0, allocate2.capacity());
        encrypt(cbcMacSimple, 0, this.session.userKey(), securityInfo(new byte[16], 8, 65280));
        allocate.put(cbcMacSimple);
        return allocate.array();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int newChannelStatus(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i) throws KNXFormatException {
        if (kNXnetIPHeader.getServiceType() != SecureSessionStatus) {
            throw new KNXIllegalArgumentException("no secure channel status");
        }
        if (kNXnetIPHeader.getTotalLength() != 8) {
            throw new KNXFormatException("invalid length " + kNXnetIPHeader.getTotalLength() + " for a secure channel status");
        }
        return bArr[i] & 255;
    }

    private byte[] newGroupSync(long j) {
        if (j < 0 || j > 281474976710655L) {
            throw new KNXIllegalArgumentException("timestamp " + j + " out of range [0..0xffffffffffff]");
        }
        KNXnetIPHeader kNXnetIPHeader = new KNXnetIPHeader(SecureGroupSync, 30);
        ByteBuffer allocate = ByteBuffer.allocate(kNXnetIPHeader.getTotalLength());
        allocate.put(kNXnetIPHeader.toByteArray());
        allocate.putShort((short) (j >> 32)).putInt((int) j);
        if (this.periodicSchedule) {
            this.sentGroupSyncTag = randomClosedRange(1, 65535);
            allocate.put(this.sno.array()).putShort((short) this.sentGroupSyncTag);
        } else {
            allocate.put(this.timerNotifySN.array()).putShort((short) this.timerNotifyTag);
        }
        byte[] cbcMac = cbcMac(allocate.array(), 0, kNXnetIPHeader.getStructLength() + 6 + 6 + 2, securityInfo(allocate.array(), 6, 0));
        encrypt(cbcMac, 0, securityInfo(allocate.array(), 6, 65280));
        allocate.put(cbcMac);
        return allocate.array();
    }

    private Object[] newGroupSync(KNXnetIPHeader kNXnetIPHeader, byte[] bArr, int i) throws KNXFormatException {
        if (kNXnetIPHeader.getTotalLength() != 36) {
            throw new KNXFormatException("invalid length " + bArr.length + " for a secure group sync");
        }
        ByteBuffer wrap = ByteBuffer.wrap(bArr, i, kNXnetIPHeader.getTotalLength() - kNXnetIPHeader.getStructLength());
        long uint48 = uint48(wrap);
        byte[] bArr2 = new byte[6];
        wrap.get(bArr2);
        int i2 = wrap.getShort() & 65535;
        cbcMacVerify(bArr, i - kNXnetIPHeader.getStructLength(), kNXnetIPHeader.getTotalLength() - 16, this.secretKey, securityInfo(wrap.array(), 6, 0), decrypt(wrap, securityInfo(bArr, i, 65280)).array());
        this.logger.trace("received group sync timestamp {} ms (S/N {}, tag {})", new Object[]{Long.valueOf(uint48), DataUnitBuilder.toHex(bArr2, ""), Integer.valueOf(i2)});
        return new Object[]{Long.valueOf(uint48), SerialNumber.from(bArr2), Integer.valueOf(i2)};
    }

    private void encrypt(byte[] bArr, int i, byte[] bArr2) {
        encrypt(bArr, i, this.secretKey, bArr2);
    }

    public static void encrypt(byte[] bArr, int i, Key key, byte[] bArr2) {
        try {
            ByteBuffer cipher = cipher(ByteBuffer.wrap(bArr, i, bArr.length - i), key, bArr2);
            System.arraycopy(cipher.array(), 0, bArr, i, cipher.remaining());
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("encrypting error", e);
        }
    }

    private ByteBuffer decrypt(ByteBuffer byteBuffer, byte[] bArr) {
        return decrypt(byteBuffer, this.secretKey, bArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ByteBuffer decrypt(ByteBuffer byteBuffer, Key key, byte[] bArr) {
        try {
            return cipher(byteBuffer, key, bArr);
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("decrypting error", e);
        }
    }

    private static ByteBuffer cipher(ByteBuffer byteBuffer, Key key, byte[] bArr) throws GeneralSecurityException {
        int remaining = (byteBuffer.remaining() + 15) >> 4;
        byte[] cipherStream = cipherStream(remaining, key, bArr);
        ByteBuffer allocate = ByteBuffer.allocate(byteBuffer.remaining());
        if (remaining > 1) {
            int i = 0;
            while (allocate.remaining() > 16) {
                allocate.put((byte) (byteBuffer.get() ^ cipherStream[16 + i]));
                i++;
            }
        }
        int i2 = 0;
        while (allocate.hasRemaining()) {
            allocate.put((byte) (byteBuffer.get() ^ cipherStream[i2]));
            i2++;
        }
        return allocate.flip();
    }

    private static byte[] cipherStream(int i, Key key, byte[] bArr) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
        cipher.init(1, key);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        for (int i2 = 0; i2 < i; i2++) {
            byteArrayOutputStream.write(cipher.update(bArr), 0, 16);
            bArr[15] = (byte) (bArr[15] + 1);
        }
        return byteArrayOutputStream.toByteArray();
    }

    private static void cbcMacVerify(byte[] bArr, int i, int i2, Key key, byte[] bArr2, byte[] bArr3) {
        if (!Arrays.equals(cbcMac(bArr, i, i2, key, bArr2), bArr3)) {
            throw new KnxSecureException("authentication failed for " + DataUnitBuilder.toHex(Arrays.copyOfRange(bArr, i, i + i2), " "));
        }
    }

    private byte[] cbcMac(byte[] bArr, int i, int i2, byte[] bArr2) {
        return cbcMac(bArr, i, i2, this.secretKey, bArr2);
    }

    private static byte[] cbcMac(byte[] bArr, int i, int i2, Key key, byte[] bArr2) {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i, i + i2);
        byte[] copyOfRange2 = Arrays.copyOfRange(bArr, i, i + 6);
        int length = copyOfRange2.length + 2 + 6 + 6 + 2;
        byte[] bArr3 = new byte[0];
        byte[] bArr4 = new byte[0];
        if (i2 > length) {
            bArr3 = Arrays.copyOfRange(bArr, i + 6, i + 8);
            bArr4 = Arrays.copyOfRange(bArr, i + length, i + i2);
        }
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
            cipher.init(1, key, new IvParameterSpec(new byte[16]));
            cipher.update(bArr2);
            cipher.update(new byte[]{0, (byte) (copyOfRange2.length + bArr3.length)});
            cipher.update(copyOfRange2);
            cipher.update(bArr3);
            byte[] doFinal = cipher.doFinal(Arrays.copyOfRange(bArr4, 0, (bArr4.length + 15) - ((((24 + bArr3.length) + bArr4.length) + 15) % 16)));
            return Arrays.copyOfRange(doFinal, doFinal.length - 16, doFinal.length);
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("calculating CBC-MAC of " + DataUnitBuilder.toHex(copyOfRange, " "), e);
        }
    }

    private byte[] cbcMacSimple(Key key, byte[] bArr, int i, int i2) {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i, i + i2);
        this.logger.trace("authenticating (length {}): {}", Integer.valueOf(i2), DataUnitBuilder.toHex(copyOfRange, " "));
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
            cipher.init(1, key, new IvParameterSpec(new byte[16]));
            byte[] doFinal = cipher.doFinal(Arrays.copyOfRange(copyOfRange, 0, ((i2 + 15) / 16) * 16));
            return Arrays.copyOfRange(doFinal, doFinal.length - 16, doFinal.length);
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("calculating CBC-MAC of " + DataUnitBuilder.toHex(copyOfRange, " "), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] securityInfo(byte[] bArr, int i, int i2) {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, i, i + 16);
        copyOfRange[14] = (byte) (i2 >> 8);
        copyOfRange[15] = (byte) i2;
        return copyOfRange;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String statusMsg(int i) {
        String[] strArr = {"authorization success", "authorization failed", "unauthorized", "timeout", "keep-alive", "close"};
        return i >= strArr.length ? "unknown status " + i : strArr[i];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecretKey createSecretKey(byte[] bArr) {
        if (bArr.length != 16) {
            throw new KNXIllegalArgumentException("KNX key has to be 16 bytes in length");
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "AES");
        Arrays.fill(bArr, (byte) 0);
        return secretKeySpec;
    }

    private static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        return KeyPairGenerator.getInstance("X25519").generateKeyPair();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] keyAgreement(PrivateKey privateKey, byte[] bArr) {
        try {
            byte[] bArr2 = (byte[]) bArr.clone();
            reverse(bArr2);
            PublicKey generatePublic = KeyFactory.getInstance("X25519").generatePublic(new XECPublicKeySpec(NamedParameterSpec.X25519, new BigInteger(1, bArr2)));
            KeyAgreement keyAgreement = KeyAgreement.getInstance("X25519");
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(generatePublic, true);
            return keyAgreement.generateSecret();
        } catch (GeneralSecurityException e) {
            throw new KnxSecureException("key agreement failed", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] sessionKey(byte[] bArr) {
        try {
            return Arrays.copyOfRange(MessageDigest.getInstance("SHA-256").digest(bArr), 0, 16);
        } catch (NoSuchAlgorithmException e) {
            throw new KnxSecureException("platform does not support SHA-256 algorithm", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] xor(byte[] bArr, int i, byte[] bArr2, int i2, int i3) {
        if (bArr.length - i3 < i || bArr2.length - i3 < i2) {
            throw new KNXIllegalArgumentException("illegal offset or length");
        }
        byte[] bArr3 = new byte[i3];
        for (int i4 = 0; i4 < i3; i4++) {
            bArr3[i4] = (byte) (bArr[i4 + i] ^ bArr2[i4 + i2]);
        }
        return bArr3;
    }

    private static long uint48(ByteBuffer byteBuffer) {
        return ((byteBuffer.getShort() & 65535) << 32) | (byteBuffer.getInt() & 4294967295L);
    }

    private static void reverse(byte[] bArr) {
        for (int i = 0; i < bArr.length / 2; i++) {
            byte b = bArr[i];
            bArr[i] = bArr[(bArr.length - 1) - i];
            bArr[(bArr.length - 1) - i] = b;
        }
    }

    static {
        groupSyncSender.setKeepAliveTime(30L, TimeUnit.SECONDS);
        groupSyncSender.allowCoreThreadTimeOut(true);
        groupSyncSender.setRemoveOnCancelPolicy(true);
    }
}
