package com.android.server.connectivity;

import android.annotation.NonNull;
import android.content.Context;
import android.net.ConnectivityManager;
import android.net.Ikev2VpnProfile;
import android.net.InetAddresses;
import android.net.IpPrefix;
import android.net.IpSecAlgorithm;
import android.net.IpSecTransform;
import android.net.LinkProperties;
import android.net.Network;
import android.net.NetworkCapabilities;
import android.net.RouteInfo;
import android.net.eap.EapSessionConfig;
import android.net.ipsec.ike.ChildSaProposal;
import android.net.ipsec.ike.ChildSessionCallback;
import android.net.ipsec.ike.ChildSessionConfiguration;
import android.net.ipsec.ike.ChildSessionParams;
import android.net.ipsec.ike.IkeFqdnIdentification;
import android.net.ipsec.ike.IkeIdentification;
import android.net.ipsec.ike.IkeIpv4AddrIdentification;
import android.net.ipsec.ike.IkeIpv6AddrIdentification;
import android.net.ipsec.ike.IkeKeyIdIdentification;
import android.net.ipsec.ike.IkeRfc822AddrIdentification;
import android.net.ipsec.ike.IkeSaProposal;
import android.net.ipsec.ike.IkeSessionCallback;
import android.net.ipsec.ike.IkeSessionConfiguration;
import android.net.ipsec.ike.IkeSessionConnectionInfo;
import android.net.ipsec.ike.IkeSessionParams;
import android.net.ipsec.ike.IkeTrafficSelector;
import android.net.ipsec.ike.TunnelModeChildSessionParams;
import android.net.ipsec.ike.exceptions.IkeException;
import android.net.ipsec.ike.exceptions.IkeProtocolException;
import android.system.OsConstants;
import android.util.Log;
import com.android.internal.util.HexDump;
import com.android.net.module.util.IpRange;
import com.android.server.connectivity.Vpn;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.Executor;

/* loaded from: input_file:com/android/server/connectivity/VpnIkev2Utils.class */
public class VpnIkev2Utils {
    private static final String TAG = VpnIkev2Utils.class.getSimpleName();

    /* loaded from: input_file:com/android/server/connectivity/VpnIkev2Utils$ChildSessionCallbackImpl.class */
    static class ChildSessionCallbackImpl implements ChildSessionCallback {
        private final String mTag;
        private final Vpn.IkeV2VpnRunnerCallback mCallback;
        private final int mToken;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ChildSessionCallbackImpl(String str, Vpn.IkeV2VpnRunnerCallback ikeV2VpnRunnerCallback, int i) {
            this.mTag = str;
            this.mCallback = ikeV2VpnRunnerCallback;
            this.mToken = i;
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onOpened(@NonNull ChildSessionConfiguration childSessionConfiguration) {
            Log.d(this.mTag, "ChildOpened for token " + this.mToken);
            this.mCallback.onChildOpened(this.mToken, childSessionConfiguration);
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onClosed() {
            Log.d(this.mTag, "ChildClosed for token " + this.mToken);
            this.mCallback.onSessionLost(this.mToken, null);
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onClosedExceptionally(@NonNull IkeException ikeException) {
            Log.d(this.mTag, "ChildClosedExceptionally for token " + this.mToken, ikeException);
            this.mCallback.onSessionLost(this.mToken, ikeException);
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onIpSecTransformCreated(@NonNull IpSecTransform ipSecTransform, int i) {
            Log.d(this.mTag, "ChildTransformCreated; Direction: " + i + "; token " + this.mToken);
            this.mCallback.onChildTransformCreated(this.mToken, ipSecTransform, i);
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onIpSecTransformDeleted(@NonNull IpSecTransform ipSecTransform, int i) {
            Log.d(this.mTag, "ChildTransformDeleted; Direction: " + i + "; for token " + this.mToken);
        }

        @Override // android.net.ipsec.ike.ChildSessionCallback
        public void onIpSecTransformsMigrated(@NonNull IpSecTransform ipSecTransform, @NonNull IpSecTransform ipSecTransform2) {
            Log.d(this.mTag, "ChildTransformsMigrated; token " + this.mToken);
            this.mCallback.onChildMigrated(this.mToken, ipSecTransform, ipSecTransform2);
        }
    }

    /* loaded from: input_file:com/android/server/connectivity/VpnIkev2Utils$IkeSessionCallbackImpl.class */
    static class IkeSessionCallbackImpl implements IkeSessionCallback {
        private final String mTag;
        private final Vpn.IkeV2VpnRunnerCallback mCallback;
        private final int mToken;

        /* JADX INFO: Access modifiers changed from: package-private */
        public IkeSessionCallbackImpl(String str, Vpn.IkeV2VpnRunnerCallback ikeV2VpnRunnerCallback, int i) {
            this.mTag = str;
            this.mCallback = ikeV2VpnRunnerCallback;
            this.mToken = i;
        }

        @Override // android.net.ipsec.ike.IkeSessionCallback
        public void onOpened(@NonNull IkeSessionConfiguration ikeSessionConfiguration) {
            Log.d(this.mTag, "IkeOpened for token " + this.mToken);
            this.mCallback.onIkeOpened(this.mToken, ikeSessionConfiguration);
        }

        @Override // android.net.ipsec.ike.IkeSessionCallback
        public void onClosed() {
            Log.d(this.mTag, "IkeClosed for token " + this.mToken);
            this.mCallback.onSessionLost(this.mToken, null);
        }

        @Override // android.net.ipsec.ike.IkeSessionCallback
        public void onClosedExceptionally(@NonNull IkeException ikeException) {
            Log.d(this.mTag, "IkeClosedExceptionally for token " + this.mToken, ikeException);
            this.mCallback.onSessionLost(this.mToken, ikeException);
        }

        @Override // android.net.ipsec.ike.IkeSessionCallback
        public void onError(@NonNull IkeProtocolException ikeProtocolException) {
            Log.d(this.mTag, "IkeError for token " + this.mToken, ikeProtocolException);
        }

        @Override // android.net.ipsec.ike.IkeSessionCallback
        public void onIkeSessionConnectionInfoChanged(@NonNull IkeSessionConnectionInfo ikeSessionConnectionInfo) {
            Log.d(this.mTag, "onIkeSessionConnectionInfoChanged for token " + this.mToken);
            this.mCallback.onIkeConnectionInfoChanged(this.mToken, ikeSessionConnectionInfo);
        }
    }

    /* loaded from: input_file:com/android/server/connectivity/VpnIkev2Utils$Ikev2VpnNetworkCallback.class */
    static class Ikev2VpnNetworkCallback extends ConnectivityManager.NetworkCallback {
        private final String mTag;
        private final Vpn.IkeV2VpnRunnerCallback mCallback;
        private final Executor mExecutor;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Ikev2VpnNetworkCallback(String str, Vpn.IkeV2VpnRunnerCallback ikeV2VpnRunnerCallback, Executor executor) {
            this.mTag = str;
            this.mCallback = ikeV2VpnRunnerCallback;
            this.mExecutor = executor;
        }

        @Override // android.net.ConnectivityManager.NetworkCallback
        public void onAvailable(@NonNull Network network) {
            Log.d(this.mTag, "onAvailable called for network: " + network);
            this.mExecutor.execute(() -> {
                this.mCallback.onDefaultNetworkChanged(network);
            });
        }

        @Override // android.net.ConnectivityManager.NetworkCallback
        public void onCapabilitiesChanged(@NonNull Network network, @NonNull NetworkCapabilities networkCapabilities) {
            Log.d(this.mTag, "NC changed for net " + network + " : " + networkCapabilities);
            this.mExecutor.execute(() -> {
                this.mCallback.onDefaultNetworkCapabilitiesChanged(networkCapabilities);
            });
        }

        @Override // android.net.ConnectivityManager.NetworkCallback
        public void onLinkPropertiesChanged(@NonNull Network network, @NonNull LinkProperties linkProperties) {
            Log.d(this.mTag, "LP changed for net " + network + " : " + linkProperties);
            this.mExecutor.execute(() -> {
                this.mCallback.onDefaultNetworkLinkPropertiesChanged(linkProperties);
            });
        }

        @Override // android.net.ConnectivityManager.NetworkCallback
        public void onLost(@NonNull Network network) {
            Log.d(this.mTag, "onLost called for network: " + network);
            this.mExecutor.execute(() -> {
                this.mCallback.onDefaultNetworkLost(network);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static IkeSessionParams.Builder makeIkeSessionParamsBuilder(@NonNull Context context, @NonNull Ikev2VpnProfile ikev2VpnProfile, @NonNull Network network) {
        IkeIdentification parseIkeIdentification = parseIkeIdentification(ikev2VpnProfile.getUserIdentity());
        IkeSessionParams.Builder remoteIdentification = new IkeSessionParams.Builder(context).setServerHostname(ikev2VpnProfile.getServerAddr()).setNetwork(network).addIkeOption(2).setLocalIdentification(parseIkeIdentification).setRemoteIdentification(parseIkeIdentification(ikev2VpnProfile.getServerAddr()));
        setIkeAuth(ikev2VpnProfile, remoteIdentification);
        Iterator<IkeSaProposal> it = getIkeSaProposals().iterator();
        while (it.hasNext()) {
            remoteIdentification.addSaProposal(it.next());
        }
        return remoteIdentification;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ChildSessionParams buildChildSessionParams(List<String> list) {
        TunnelModeChildSessionParams.Builder builder = new TunnelModeChildSessionParams.Builder();
        Iterator<ChildSaProposal> it = getChildSaProposals(list).iterator();
        while (it.hasNext()) {
            builder.addSaProposal(it.next());
        }
        builder.addInternalAddressRequest(OsConstants.AF_INET);
        builder.addInternalAddressRequest(OsConstants.AF_INET6);
        builder.addInternalDnsServerRequest(OsConstants.AF_INET);
        builder.addInternalDnsServerRequest(OsConstants.AF_INET6);
        return builder.build();
    }

    private static void setIkeAuth(@NonNull Ikev2VpnProfile ikev2VpnProfile, @NonNull IkeSessionParams.Builder builder) {
        switch (ikev2VpnProfile.getType()) {
            case 6:
                builder.setAuthEap(ikev2VpnProfile.getServerRootCaCert(), new EapSessionConfig.Builder().setEapMsChapV2Config(ikev2VpnProfile.getUsername(), ikev2VpnProfile.getPassword()).build());
                return;
            case 7:
                builder.setAuthPsk(ikev2VpnProfile.getPresharedKey());
                return;
            case 8:
                builder.setAuthDigitalSignature(ikev2VpnProfile.getServerRootCaCert(), ikev2VpnProfile.getUserCert(), ikev2VpnProfile.getRsaPrivateKey());
                return;
            default:
                throw new IllegalArgumentException("Unknown auth method set");
        }
    }

    private static List<IkeSaProposal> getIkeSaProposals() {
        ArrayList arrayList = new ArrayList();
        IkeSaProposal.Builder builder = new IkeSaProposal.Builder();
        builder.addEncryptionAlgorithm(13, 256);
        builder.addEncryptionAlgorithm(12, 256);
        builder.addEncryptionAlgorithm(13, 192);
        builder.addEncryptionAlgorithm(12, 192);
        builder.addEncryptionAlgorithm(13, 128);
        builder.addEncryptionAlgorithm(12, 128);
        builder.addIntegrityAlgorithm(14);
        builder.addIntegrityAlgorithm(13);
        builder.addIntegrityAlgorithm(12);
        builder.addIntegrityAlgorithm(5);
        builder.addIntegrityAlgorithm(8);
        IkeSaProposal.Builder builder2 = new IkeSaProposal.Builder();
        builder2.addEncryptionAlgorithm(28, 0);
        builder2.addEncryptionAlgorithm(20, 256);
        builder2.addEncryptionAlgorithm(19, 256);
        builder2.addEncryptionAlgorithm(18, 256);
        builder2.addEncryptionAlgorithm(20, 192);
        builder2.addEncryptionAlgorithm(19, 192);
        builder2.addEncryptionAlgorithm(18, 192);
        builder2.addEncryptionAlgorithm(20, 128);
        builder2.addEncryptionAlgorithm(19, 128);
        builder2.addEncryptionAlgorithm(18, 128);
        for (IkeSaProposal.Builder builder3 : Arrays.asList(builder, builder2)) {
            builder3.addDhGroup(16);
            builder3.addDhGroup(31);
            builder3.addDhGroup(15);
            builder3.addDhGroup(14);
            builder3.addPseudorandomFunction(7);
            builder3.addPseudorandomFunction(6);
            builder3.addPseudorandomFunction(5);
            builder3.addPseudorandomFunction(4);
            builder3.addPseudorandomFunction(8);
            builder3.addPseudorandomFunction(2);
        }
        arrayList.add(builder.build());
        arrayList.add(builder2.build());
        return arrayList;
    }

    private static List<ChildSaProposal> getChildSaProposals(List<String> list) {
        ArrayList arrayList = new ArrayList();
        List asList = Arrays.asList(256, 192, 128);
        if (Ikev2VpnProfile.hasNormalModeAlgorithms(list)) {
            ChildSaProposal.Builder builder = new ChildSaProposal.Builder();
            Iterator it = asList.iterator();
            while (it.hasNext()) {
                int intValue = ((Integer) it.next()).intValue();
                if (list.contains(IpSecAlgorithm.CRYPT_AES_CTR)) {
                    builder.addEncryptionAlgorithm(13, intValue);
                }
                if (list.contains(IpSecAlgorithm.CRYPT_AES_CBC)) {
                    builder.addEncryptionAlgorithm(12, intValue);
                }
            }
            if (list.contains(IpSecAlgorithm.AUTH_HMAC_SHA512)) {
                builder.addIntegrityAlgorithm(14);
            }
            if (list.contains(IpSecAlgorithm.AUTH_HMAC_SHA384)) {
                builder.addIntegrityAlgorithm(13);
            }
            if (list.contains(IpSecAlgorithm.AUTH_HMAC_SHA256)) {
                builder.addIntegrityAlgorithm(12);
            }
            if (list.contains(IpSecAlgorithm.AUTH_AES_XCBC)) {
                builder.addIntegrityAlgorithm(5);
            }
            if (list.contains(IpSecAlgorithm.AUTH_AES_CMAC)) {
                builder.addIntegrityAlgorithm(8);
            }
            if (builder.build().getIntegrityAlgorithms().isEmpty()) {
                Log.wtf(TAG, "Missing integrity algorithm when buildling Child SA proposal");
            } else {
                arrayList.add(builder.build());
            }
        }
        if (Ikev2VpnProfile.hasAeadAlgorithms(list)) {
            ChildSaProposal.Builder builder2 = new ChildSaProposal.Builder();
            if (list.contains(IpSecAlgorithm.AUTH_CRYPT_CHACHA20_POLY1305)) {
                builder2.addEncryptionAlgorithm(28, 0);
            }
            if (list.contains(IpSecAlgorithm.AUTH_CRYPT_AES_GCM)) {
                builder2.addEncryptionAlgorithm(20, 256);
                builder2.addEncryptionAlgorithm(19, 256);
                builder2.addEncryptionAlgorithm(18, 256);
                builder2.addEncryptionAlgorithm(20, 192);
                builder2.addEncryptionAlgorithm(19, 192);
                builder2.addEncryptionAlgorithm(18, 192);
                builder2.addEncryptionAlgorithm(20, 128);
                builder2.addEncryptionAlgorithm(19, 128);
                builder2.addEncryptionAlgorithm(18, 128);
            }
            arrayList.add(builder2.build());
        }
        return arrayList;
    }

    private static IkeIdentification parseIkeIdentification(@NonNull String str) {
        if (str.contains("@")) {
            return str.startsWith("@#") ? new IkeKeyIdIdentification(HexDump.hexStringToByteArray(str.substring(2))) : str.startsWith("@@") ? new IkeRfc822AddrIdentification(str.substring(2)) : str.startsWith("@") ? new IkeFqdnIdentification(str.substring(1)) : new IkeRfc822AddrIdentification(str);
        }
        if (!InetAddresses.isNumericAddress(str)) {
            return str.contains(":") ? new IkeKeyIdIdentification(str.getBytes()) : new IkeFqdnIdentification(str);
        }
        InetAddress parseNumericAddress = InetAddresses.parseNumericAddress(str);
        if (parseNumericAddress instanceof Inet4Address) {
            return new IkeIpv4AddrIdentification((Inet4Address) parseNumericAddress);
        }
        if (parseNumericAddress instanceof Inet6Address) {
            return new IkeIpv6AddrIdentification((Inet6Address) parseNumericAddress);
        }
        throw new IllegalArgumentException("IP version not supported");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Collection<RouteInfo> getRoutesFromTrafficSelectors(List<IkeTrafficSelector> list) {
        HashSet hashSet = new HashSet();
        for (IkeTrafficSelector ikeTrafficSelector : list) {
            Iterator<IpPrefix> it = new IpRange(ikeTrafficSelector.startingAddress, ikeTrafficSelector.endingAddress).asIpPrefixes().iterator();
            while (it.hasNext()) {
                hashSet.add(new RouteInfo(it.next(), null, null, 1));
            }
        }
        return hashSet;
    }
}
