package de.rub.nds.tlsscanner.serverscanner.afterprobe;

import de.rub.nds.scanner.core.afterprobe.AfterProbe;
import de.rub.nds.scanner.core.constants.TestResults;
import de.rub.nds.tlsattacker.core.constants.CipherSuite;
import de.rub.nds.tlsattacker.core.constants.CompressionMethod;
import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
import de.rub.nds.tlsscanner.core.constants.TlsAnalyzedProperty;
import de.rub.nds.tlsscanner.core.report.CipherSuiteGrade;
import de.rub.nds.tlsscanner.core.report.CipherSuiteRater;
import de.rub.nds.tlsscanner.serverscanner.probe.SessionTicketZeroKeyProbe;
import de.rub.nds.tlsscanner.serverscanner.probe.handshakesimulation.ConnectionInsecure;
import de.rub.nds.tlsscanner.serverscanner.probe.handshakesimulation.HandshakeFailureReasons;
import de.rub.nds.tlsscanner.serverscanner.probe.handshakesimulation.SimulatedClientResult;
import de.rub.nds.tlsscanner.serverscanner.report.ServerReport;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;

/* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/afterprobe/HandshakeSimulationAfterProbe.class */
public class HandshakeSimulationAfterProbe extends AfterProbe<ServerReport> {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: de.rub.nds.tlsscanner.serverscanner.afterprobe.HandshakeSimulationAfterProbe$1, reason: invalid class name */
    /* loaded from: input_file:de/rub/nds/tlsscanner/serverscanner/afterprobe/HandshakeSimulationAfterProbe$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm = new int[KeyExchangeAlgorithm.values().length];

        static {
            try {
                $SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm[KeyExchangeAlgorithm.DHE_DSS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm[KeyExchangeAlgorithm.DHE_RSA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm[KeyExchangeAlgorithm.ECDHE_ECDSA.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm[KeyExchangeAlgorithm.ECDHE_RSA.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public void analyze(ServerReport serverReport) {
        int i = 0;
        int i2 = 0;
        if (serverReport.getSimulatedClientList() != null) {
            for (SimulatedClientResult simulatedClientResult : serverReport.getSimulatedClientList()) {
                if (simulatedClientResult.getReceivedAlert().booleanValue()) {
                    checkWhyAlert(serverReport, simulatedClientResult);
                } else if (simulatedClientResult.getReceivedAllMandatoryMessages().booleanValue()) {
                    checkSelectedProtocolVersion(serverReport, simulatedClientResult);
                    checkIfHandshakeWouldBeSuccessful(simulatedClientResult);
                    if (simulatedClientResult.getFailReasons().isEmpty()) {
                        simulatedClientResult.setHandshakeSuccessful(true);
                    }
                } else {
                    checkWhyMandatoryMessagesMissing(simulatedClientResult);
                }
                if (Objects.equals(simulatedClientResult.getHandshakeSuccessful(), Boolean.TRUE)) {
                    i++;
                    checkIfConnectionIsInsecure(serverReport, simulatedClientResult);
                    if (simulatedClientResult.getInsecureReasons().isEmpty()) {
                        simulatedClientResult.setConnectionInsecure(false);
                        checkIfConnectionIsRfc7918Secure(simulatedClientResult);
                    } else {
                        simulatedClientResult.setConnectionInsecure(true);
                        i2++;
                    }
                } else {
                    simulatedClientResult.setHandshakeSuccessful(false);
                }
            }
            serverReport.setHandshakeSuccessfulCounter(Integer.valueOf(i));
            serverReport.setHandshakeFailedCounter(Integer.valueOf(serverReport.getSimulatedClientList().size() - i));
            serverReport.setConnectionInsecureCounter(Integer.valueOf(i2));
        }
    }

    private void checkWhyAlert(ServerReport serverReport, SimulatedClientResult simulatedClientResult) {
        if (isCipherSuiteMismatch(serverReport, simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.CIPHER_SUITE_MISMATCH);
        }
    }

    private boolean isCipherSuiteMismatch(ServerReport serverReport, SimulatedClientResult simulatedClientResult) {
        if (serverReport.getCipherSuites() == null) {
            return true;
        }
        for (CipherSuite cipherSuite : serverReport.getCipherSuites()) {
            Iterator<CipherSuite> it = simulatedClientResult.getClientSupportedCipherSuites().iterator();
            while (it.hasNext()) {
                if (cipherSuite.equals(it.next())) {
                    return false;
                }
            }
        }
        return true;
    }

    private void checkSelectedProtocolVersion(ServerReport serverReport, SimulatedClientResult simulatedClientResult) {
        if (serverReport.getVersions() == null || simulatedClientResult.getSupportedVersionList() == null) {
            return;
        }
        LinkedList linkedList = new LinkedList();
        Collections.sort(serverReport.getVersions());
        Collections.sort(simulatedClientResult.getSupportedVersionList());
        for (ProtocolVersion protocolVersion : serverReport.getVersions()) {
            if (simulatedClientResult.getSupportedVersionList().contains(protocolVersion)) {
                linkedList.add(protocolVersion);
            }
        }
        Collections.sort(linkedList);
        simulatedClientResult.setCommonProtocolVersions(linkedList);
        if (linkedList.isEmpty() || !linkedList.get(linkedList.size() - 1).equals(simulatedClientResult.getSelectedProtocolVersion())) {
            simulatedClientResult.setHighestPossibleProtocolVersionSelected(false);
        } else {
            simulatedClientResult.setHighestPossibleProtocolVersionSelected(true);
        }
    }

    private void checkIfHandshakeWouldBeSuccessful(SimulatedClientResult simulatedClientResult) {
        if (isProtocolMismatch(simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.PROTOCOL_MISMATCH);
        }
        if (isCipherSuiteForbidden(simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.CIPHER_SUITE_FORBIDDEN);
        }
        if (isPublicKeyLengthRsaNotAccepted(simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.RSA_CERTIFICATE_MODULUS_SIZE_NOT_ACCEPTED);
        }
        if (isPublicKeyLengthDhNotAccepted(simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.DHE_MODULUS_SIZE_NOT_ACCEPTED);
        }
    }

    private boolean isProtocolMismatch(SimulatedClientResult simulatedClientResult) {
        return simulatedClientResult.getCommonProtocolVersions() != null && simulatedClientResult.getCommonProtocolVersions().isEmpty();
    }

    private boolean isCipherSuiteForbidden(SimulatedClientResult simulatedClientResult) {
        if (simulatedClientResult.getSelectedCipherSuite().isSupportedInProtocol(simulatedClientResult.getSelectedProtocolVersion())) {
            return false;
        }
        return simulatedClientResult.getVersionAcceptForbiddenCipherSuiteList() == null || !simulatedClientResult.getVersionAcceptForbiddenCipherSuiteList().contains(simulatedClientResult.getSelectedProtocolVersion());
    }

    private boolean isPublicKeyLengthRsaNotAccepted(SimulatedClientResult simulatedClientResult) {
        Integer serverPublicKeyParameter = simulatedClientResult.getServerPublicKeyParameter();
        if (!simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeRsa() || simulatedClientResult.getSupportedRsaKeySizeList() == null) {
            return false;
        }
        List<Integer> supportedRsaKeySizeList = simulatedClientResult.getSupportedRsaKeySizeList();
        return serverPublicKeyParameter.intValue() < supportedRsaKeySizeList.get(0).intValue() || supportedRsaKeySizeList.get(supportedRsaKeySizeList.size() - 1).intValue() < serverPublicKeyParameter.intValue();
    }

    private boolean isPublicKeyLengthDhNotAccepted(SimulatedClientResult simulatedClientResult) {
        Integer serverPublicKeyParameter = simulatedClientResult.getServerPublicKeyParameter();
        if (!simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeDh() || simulatedClientResult.getSupportedDheKeySizeList() == null) {
            return false;
        }
        List<Integer> supportedDheKeySizeList = simulatedClientResult.getSupportedDheKeySizeList();
        return serverPublicKeyParameter.intValue() < supportedDheKeySizeList.get(0).intValue() || supportedDheKeySizeList.get(supportedDheKeySizeList.size() - 1).intValue() < serverPublicKeyParameter.intValue();
    }

    private void checkWhyMandatoryMessagesMissing(SimulatedClientResult simulatedClientResult) {
        if (isParsingError(simulatedClientResult)) {
            simulatedClientResult.addToFailReasons(HandshakeFailureReasons.PARSING_ERROR);
        }
    }

    private boolean isParsingError(SimulatedClientResult simulatedClientResult) {
        return simulatedClientResult.getReceivedUnknown().booleanValue();
    }

    private void checkIfConnectionIsInsecure(ServerReport serverReport, SimulatedClientResult simulatedClientResult) {
        if (simulatedClientResult.getSelectedCipherSuite() != null && isCipherSuiteGradeLow(simulatedClientResult)) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.CIPHER_SUITE_GRADE_LOW.getReason());
        }
        checkVulnerabilities(serverReport, simulatedClientResult);
        checkPublicKeySize(simulatedClientResult);
    }

    private boolean isCipherSuiteGradeLow(SimulatedClientResult simulatedClientResult) {
        return CipherSuiteRater.getGrade(simulatedClientResult.getSelectedCipherSuite()).equals(CipherSuiteGrade.LOW);
    }

    private void checkVulnerabilities(ServerReport serverReport, SimulatedClientResult simulatedClientResult) {
        CipherSuite selectedCipherSuite = simulatedClientResult.getSelectedCipherSuite();
        if (serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_PADDING_ORACLE) != null && serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_PADDING_ORACLE) == TestResults.TRUE && selectedCipherSuite.isCBC()) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.PADDING_ORACLE.getReason());
        }
        if (serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_BLEICHENBACHER) != null && serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_BLEICHENBACHER) == TestResults.TRUE && simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeRsa()) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.BLEICHENBACHER.getReason());
        }
        if (simulatedClientResult.getSelectedCompressionMethod() != CompressionMethod.NULL) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.CRIME.getReason());
        }
        if (serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_SWEET_32) == null || serverReport.getResult(TlsAnalyzedProperty.VULNERABLE_TO_SWEET_32) != TestResults.TRUE) {
            return;
        }
        if (selectedCipherSuite.name().contains("3DES") || selectedCipherSuite.name().contains("IDEA") || selectedCipherSuite.name().contains("GOST")) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.SWEET32.getReason());
        }
    }

    private void checkPublicKeySize(SimulatedClientResult simulatedClientResult) {
        Integer serverPublicKeyParameter = simulatedClientResult.getServerPublicKeyParameter();
        Integer num = 1024;
        Integer num2 = 1024;
        Integer num3 = 160;
        if (simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeRsa() && serverPublicKeyParameter.intValue() <= num.intValue()) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.PUBLIC_KEY_SIZE_TOO_SMALL.getReason() + " - rsa > " + num);
            return;
        }
        if (simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeDh() && serverPublicKeyParameter.intValue() <= num2.intValue()) {
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.PUBLIC_KEY_SIZE_TOO_SMALL.getReason() + " - dh > " + num2);
        } else {
            if (!simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeEcdh() || serverPublicKeyParameter.intValue() > num3.intValue()) {
                return;
            }
            simulatedClientResult.addToInsecureReasons(ConnectionInsecure.PUBLIC_KEY_SIZE_TOO_SMALL.getReason() + " - ecdh > " + num3);
        }
    }

    private void checkIfConnectionIsRfc7918Secure(SimulatedClientResult simulatedClientResult) {
        boolean z = false;
        CipherSuite selectedCipherSuite = simulatedClientResult.getSelectedCipherSuite();
        Integer serverPublicKeyParameter = simulatedClientResult.getServerPublicKeyParameter();
        if (selectedCipherSuite != null && serverPublicKeyParameter != null && isProtocolVersionWhitelisted(simulatedClientResult) && isSymmetricCipherRfc7918Whitelisted(selectedCipherSuite) && isKeyExchangeMethodWhitelisted(simulatedClientResult) && isKeyLengthWhitelisted(simulatedClientResult, serverPublicKeyParameter)) {
            z = true;
        }
        simulatedClientResult.setConnectionRfc7918Secure(Boolean.valueOf(z));
    }

    private boolean isProtocolVersionWhitelisted(SimulatedClientResult simulatedClientResult) {
        return (!Objects.equals(simulatedClientResult.getHighestPossibleProtocolVersionSelected(), Boolean.TRUE) || simulatedClientResult.getSelectedProtocolVersion() == ProtocolVersion.TLS10 || simulatedClientResult.getSelectedProtocolVersion() == ProtocolVersion.TLS11) ? false : true;
    }

    private boolean isSymmetricCipherRfc7918Whitelisted(CipherSuite cipherSuite) {
        return cipherSuite.isGCM() || cipherSuite.isChachaPoly();
    }

    private boolean isKeyExchangeMethodWhitelisted(SimulatedClientResult simulatedClientResult) {
        switch (AnonymousClass1.$SwitchMap$de$rub$nds$tlsattacker$core$constants$KeyExchangeAlgorithm[simulatedClientResult.getKeyExchangeAlgorithm().ordinal()]) {
            case 1:
            case SessionTicketZeroKeyProbe.SESSION_STATE_LEN_FIELD_LEN /* 2 */:
            case 3:
            case 4:
                return true;
            default:
                return false;
        }
    }

    private boolean isKeyLengthWhitelisted(SimulatedClientResult simulatedClientResult, Integer num) {
        if (simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeEcdh() && simulatedClientResult.getSelectedCipherSuite().isEphemeral() && num.intValue() >= 3072) {
            return true;
        }
        return simulatedClientResult.getKeyExchangeAlgorithm().isKeyExchangeEcdh() && simulatedClientResult.getSelectedCipherSuite().isEphemeral() && num.intValue() >= 256;
    }
}
