ike package

Subpackages

• ike.util package
  • Submodules
  • ike.util.cipher module
  • ike.util.conv module
  • ike.util.dh module
  • ike.util.dump module
  • ike.util.external module
  • ike.util.prf module
  • ike.util.pubkey module
  • Module contents

Submodules

ike.const module

class ike.const.AuthenticationType

Bases: enum.IntEnum

class ike.const.ExchangeType

Bases: enum.IntEnum

class ike.const.MessageType

Bases: enum.IntEnum

class ike.const.ProtocolID

Bases: enum.IntEnum

ike.initiator module

IKE v2 (RFC 5996) initiator implementation

Usage:

initiator.py <remote_peer>

To clean up afterwards,

setkey -FP && setkey -F

class ike.initiator.IKEInitiator

Bases: asyncio.protocols.DatagramProtocol

Implements an IKE initiator that attempt to negotiate a single child SA to remote peer.

connectionRefused()

connection_made(transport)

datagram_received(data, address)

ike.initiator.main(peer)

ike.payloads module

IKEv2 Payloads as specified in RFC 5996 sections 3.2 - 3.16

class ike.payloads.AUTH(signed_octets=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Authentication Payload

class ike.payloads.IDi(data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Identification Payload for initiator

class ike.payloads.IDr(data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Identification Payload for responder

class ike.payloads.KE(data=None, next_payload=<no_next_payload: 0>, critical=False, group=14, diffie_hellman=None)

Bases: ike.payloads._IkePayload

Key Exchange Payload

parse(data)

class ike.payloads.Nonce(data=None, next_payload=<no_next_payload: 0>, critical=False, nonce=None)

Bases: ike.payloads._IkePayload

Nonce Payload

parse(data)

class ike.payloads.Notify(notify_type=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Notify Payload

parse(data)

class ike.payloads.SA(data=None, proposals=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._IkePayload

Security Association Payload

parse(data)

class ike.payloads.SK(data=None, next_payload=<no_next_payload: 0>, critical=False, iv=None, ciphertext=None)

Bases: ike.payloads._IkePayload

Encrypted Payload

mac(hmac)

class ike.payloads.TSi(addr=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._TS

Traffic Selector Payload for initiator

class ike.payloads.TSr(addr=None, data=None, next_payload=<no_next_payload: 0>, critical=False)

Bases: ike.payloads._TS

Traffic Selector Payload for responder

class ike.payloads.Type

Bases: enum.IntEnum

Payload types from IANA

ike.payloads.get_by_type(payload_type)

Returns an IkePayload (sub)class based on the RFC5996 payload_type :param payload_type: int() Ike Payload type

ike.proposal module

Implements Proposal and Transform substructures for Security association (SA) payloads.

Conforms to RFC5996 section 3.3

class ike.proposal.Proposal(data=None, num=1, protocol=<ProtocolID.IKE: 1>, spi=None, spi_len=0, last=False, transforms=None)

Bases: builtins.object

data

parse(data)

class ike.proposal.Transform(name, keysize=None, last=False)

Bases: builtins.object

data

ike.protocol module

High level interface to IKEv2 protocol

class ike.protocol.IKE(address, peer, dh_group=14, nonce_len=32)

Bases: builtins.object

A single IKE negotiation / SA.

Currently implements only Initiator side of the negotiation.

auth_recv()

Handle peer’s IKE_AUTH response.

auth_send()

Generates the second (IKE_AUTH) packet for Initiator

Returns:bytes() containing a valid IKE_INIT packet

authenticate_peer(auth_data, peer_id, message)

Verifies the peers authentication.

decrypt(data)

Decrypts an encrypted (SK, 46) IKE payload using self.SK_er

Parameters:data – Encrypted IKE payload including headers (payloads.SK()) Returns:next_payload, data_containing_payloads Raises IkeError:  If packet is corrupted.

encrypt_and_hmac(packet)

Encrypts and signs a Packet() using self.SK_ei and self.SK_ai

Parameters:packet – Unecrypted Packet() with one or more payloads. Returns:Encrypted and signed Packet() with a single payloads.SK

init_recv()

Parses the IKE_INIT response packet received from Responder.

Assigns the correct values of rSPI and Nr Calculates Diffie-Hellman exchange and assigns all keys to self.

init_send()

Generates the first (IKE_INIT) packet for Initiator

Returns:bytes() containing a valid IKE_INIT packet

install_ipsec_sas()

parse_packet(data)

Parses a received packet in to Packet() with corresponding payloads. Will decrypt encrypted packets when needed.

Parameters:data – bytes() IKE packet from wire. Returns:Packet() instance Raises IkeError:  on malformed packet

verify_hmac(data)

Verifies the HMAC signature of an encrypted (SK, 46) payload using self.SK_ar

Parameters:data – bytes(payloads.SK()) Raises IkeError:  if calculated signature does not match the one in the payload

exception ike.protocol.IkeError

Bases: builtins.Exception

class ike.protocol.Packet(data=None, exchange_type=None, message_id=0, iSPI=0, rSPI=0)

Bases: builtins.object

An IKE packet.

To generate packets:

1. instantiate an Packet()
2. add payloads by Packet.add_payload(<payloads.IkePayload instance>)
3. send bytes(Packet) to other peer.

Received packets should be generated by IKE.parse_packet().

add_payload(payload)

Adds a payload to packet, updating last payload’s next_payload field

class ike.protocol.State

Bases: enum.IntEnum

Module contents