hϽ dZ ddlmZn#e$r ddlmZYnwxYwddlZddlZddlZddlZddl m Z m Z ddl m Z mZddlmZddlmZddlmZmZmZmZmZmZmZmZmZmZdd lmZm Z m!Z!m"Z"m#Z#dd l$m%Z%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+Gd d eZ,e"e%e,ej-e"e(e,ej-e"e,e%ej.e"e,e(ej/GddeZ0GddeZ1GddeZ2e"e%e0ej3e"e(e0ej3e!e&e0de!e&e0de#e&e0dde#e&e1dde#e&e2ddGddeZ4e j5r-ddl6m7Z7ddl8m9Z9ddl:m;Z;mZ> ddl?m=Z@n'#e$re=Z@YnwxYwejAd dZ9eBZ7dxZd!ZCGd"d#eDZEd$eEd$ddd%iZFe=reEd&e=jGe>jH'eFd&<d(ZIeEd)e=jGe>jJd*d+d,eI-eFd)<d.ZKeEd/e;jLd0dd,d*d+d1eK2 eFd/<eEd3e;jLd0dd,d*d+d1eK2 eFd3<eEd4e;jMdd0d*d+d5d1eK6 eFd4<eEd7e;jNdd8d*d+d,d1eK6 eFd7<eEd9e@jOe>jHd:;eFd9<eEdjH'eFd<<e@e=urvdd=lPmQZQejR5ejSd>eQ?eEd@e@jTe>jH'eFd@<eEdAe@jUe>jH'eFdA<dddn #1swxYwYn6eEd@e@jTe>jH'eFd@<eEdAe@jUe>jH'eFdA<e j5rddBlVmWZWddClXmYZYddDlZm[Z[ndxZWxZYZ[GdEdFeBZ\GdGdHeDZ]d$e]d$dddIiZ^eWrue[rse]dJeWe[j_dKIe^dJ<e]dLeWe[j`d1Ie^dL<e]dMeWe[jadNIe^dM<e]dOeWe[jbd8Ie^dO<e]dPeWe[jcdKIe^dP<eYre=re]dQeYe=jGdKdRSe^dQ<dTZddUZedZdWZfGdXdYeDZgdS)[a IPsec layer =========== Example of use: >>> sa = SecurityAssociation(ESP, spi=0xdeadbeef, crypt_algo='AES-CBC', ... crypt_key=b'sixteenbytes key') >>> p = IP(src='1.1.1.1', dst='2.2.2.2') >>> p /= TCP(sport=45012, dport=80) >>> p /= Raw('testdata') >>> p = IP(raw(p)) >>> p >> # noqa: E501 >>> >>> e = sa.encrypt(p) >>> e > # noqa: E501 >>> >>> d = sa.decrypt(e) >>> d >> # noqa: E501 >>> >>> d == p True )gcdN)confcrypto_validator)orbraw) IP_PROTOS) log_loading) ByteEnumField ByteFieldIntField PacketField ShortFieldStrField XByteField XIntField XStrField XStrLenField)PacketRawbind_bottom_up bind_layers bind_top_down)IPUDP)IPv6IPv6ExtHdrHopByHopIPv6ExtHdrDestOptIPv6ExtHdrRoutingc $eZdZdZdZdZeddeedde dde dde d d e d de e d dd gZ edejiedejiedejiedejiedejiiZdS)AHzO Authentication Header See https://tools.ietf.org/rfc/rfc4302.txt c|jdz dzS)z Compute the size of the ICV based on the payloadlen field. Padding size is included as it can only be known from the authentication # noqa: E501 algorithm provided by the Security Association. ) payloadlenselfs V/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/ipsec.py __get_icv_lenzAH.__get_icv_lenPs!#q((nhNr$reservedspir"seqricv) length_frompaddingcdS)Nr)xs r'z AH.csAr)proto)__name__ __module__ __qualname____doc__name_AH__get_icv_lenr rr rrr r fields_descrsocket IPPROTO_AHrrrroverload_fieldsr2r)r'r r Gs D ) ) )  dD),, ,%% :t$$ %$$ UDm<<< Y++>>> K Wf' ( tV&'T6#45D&"34D&"34 OOOr)r )r5)r*c eZdZdZdZeddeddeddgZe d dZ e d e j ied e j ied e j ied e j ied e j iiZdS) ESPzW Encapsulated Security Payload See https://tools.ietf.org/rfc/rfc4303.txt r,r"r-rdataNc |rt|dkr.tjd|ddddkrtSt|dkr&tjd|ddkrtSt S|S)Nr#z!Irr"z!B)lenstructunpackNON_ESP NAT_KEEPALIVErA)cls_pktargskargss r' dispatch_hookzESP.dispatch_hooks{  4yyA~~&-d1Q3i"@"@"Ct"K"KTaFM$$=$=a$@D$H$H$$  r)r5r*N)r6r7r8r9r:rr rr< classmethodrNrr= IPPROTO_ESPrrrrr?r2r)r'rArAws D  %$$ &$K [ Wf( ) tV'(T6#56D&"45D&"45 OOOr)rAc(eZdZeddgZdS)rHnon_esprN)r6r7r8rr<r2r)r'rHrHs$ )S!!KKKr)rHc(eZdZeddgZdS)rI nat_keepaliverDN)r6r7r8rr<r2r)r'rIrIs$ ?D))KKKr)rIi)dport)sport)rVrWc eZdZdZdZeddeddeddedde ed de d de d de ed dgZ d ZdS) _ESPPlainz> Internal class to represent unencrypted ESP packets. rAr,rr-ivrBr0padlenr*r.c|t|j|jztjd|j|jzS)NBB)rrBr0rFpackr\r*r%s r'data_for_encryptionz_ESPPlain.data_for_encryptions.49~~ ,v{4dg/V/VVVr)N)r6r7r8r9r:rr rr rr r rr<r`r2r)r'rYrYs D  %r FB$$B (A dAy)) KWWWWWr)rY) InvalidTag)default_backend)aeadCipher algorithmsmodes)rezQCan't import python-cryptography v1.7+. Disabled IPsec encryption/authentication.cd|dks|dkrdSt||zt||zS)z3 Least Common Multiple between 2 integers. r)absr)abs r'_lcmrks7 Avvaq1q5zzSAYY&&r)cXeZdZdZ d dZdZdZed dZdZ dd Z dd Z dS) CryptAlgoz$ IPsec encryption algorithm Nc X||_||_||_||_d|_d|_t rd|j%t|jt j|_n8|jtj tj tj fvrd|_d|_|||_ n||j dz|_ nd|_ | |j |_n||_|||_n-|$t!d|jD|_nd|_|d|_n||_| d|_dS| |_dS) a :param name: the name of this encryption algorithm :param cipher: a Cipher module :param mode: the mode used with the cipher module :param block_size: the length a block for this algo. Defaults to the `block_size` of the cipher. :param iv_size: the length of the initialization vector of this algo. Defaults to the `block_size` of the cipher. :param key_size: an integer or list/tuple of integers. If specified, force the secret keys length to one of the values. Defaults to the `key_size` of the cipher. :param icv_size: the length of the Integrity Check Value of this algo. Used by Combined Mode Algorithms e.g. GCM :param salt_size: the length of the salt to use as the IV prefix. Usually used by Counter modes e.g. CTR :param format_mode_iv: function to format the Initialization Vector e.g. handle the salt value Default is the random buffer from `generate_iv` FNTr"c3 K|] }|dzV dS)roNr2).0is r' z%CryptAlgo.__init__..)s&!C!CQ!q&!C!C!C!C!C!Cr)rc|SrOr2)rZkws r'r4z$CryptAlgo.__init__..3sBr))r:ciphermodeicv_sizeis_aeadciphers_aead_apirf issubclassModeWithAuthenticationTagrcAESGCMAESCCMChaCha20Poly1305 block_sizeiv_sizekey_sizetuple key_sizes salt_size_format_mode_iv) r&r:rvrwrrrrxrformat_mode_ivs r'__init__zCryptAlgo.__init__sM*      %  -y$)$)*/*I K K dk!%!6!888# (,%  !(DOO  $/14DOODO ??DLL"DL  $DMM  !!C!C&2B!C!C!CCCDMM DM  DNN&DN  !#6#6D #1D r)c|jrUt||jks?t||jvs+tdt|d|jdSdSdS)[ Check that the key length is valid. :param key: a byte string invalid key size z , must be NrrE TypeErrorr&keys r' check_keyzCryptAlgo.check_key7st = 7#c((dm";";s3xx4=?X?X) XXXXt}}677 7 7 7";";?X?Xr)c4tj|jS)z: Generate a random initialization vector. )osurandomrr%s r' generate_ivzCryptAlgo.generate_ivAs z$,'''r)c >|jrT|Rt|||||t |t St||||t S)a :param key: the secret key, a byte string :param mode_iv: the initialization vector or nonce, a byte string. Formatted by `format_mode_iv`. :param digest: also known as tag or icv. A byte string containing the digest of the encrypted data. Only use this during decryption! :returns: an initialized cipher object for this algo )ryrdrvrwrErb)r&rmode_ivdigests r' new_cipherzCryptAlgo.new_cipherIs < F. C   '63v;;77!!   C   '""!! r)ct|jdz}t|jd}| |z|_t jd|jzgtd|jdzR|_t|j t|jzt|jzdz}|dzdkrtd|S)ai Add the correct amount of padding so that the data to encrypt is exactly a multiple of the algorithm's block size. Also, make sure that the total ESP packet length is a multiple of 4 bytes. :param esp: an unencrypted _ESPPlain packet :returns: an unencrypted _ESPPlain packet with valid padding r#Br"rzAThe size of the ESP data is not aligned to 32 bits after padding.) rErBrkrr\rFr_ranger0rZ ValueError)r&espdata_lenalign payload_lens r'padz CryptAlgo.padcssx==1$T_a((Y& k# "2NU1cj1n5M5MNNN #&kkCMM1C 4D4DDqH ?a  `aa a r)Frc||jr|jnd}|}|jr||||j}d} |jrD|r"t jd|j||j } n t jd|j|j } |j r|jtj kr|||} n||} |j dkr&|| |d| |jz|zz}n| ||| }n|||} | } |jrR| | | || z}|| jd|z }n*| || z}t+|j|j |j|z S) ar Encrypt an ESP packet :param sa: the SecurityAssociation associated with the ESP packet. :param esp: an unencrypted _ESPPlain packet with valid padding :param key: the secret key used for encryption :param icv_size: the length of the icv used for integrity check :esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit when using an AEAD algorithm :esn: extended sequence number (32 MSB) :return: a valid ESP packet encrypted with this algorithm Nr)algosarZ!LLL!LL tag_length AES-NULL-GMACr))r,r-rB)ryrxr`rvrrZrFr_r,r-rzrcr~r:encryptr encryptorauthenticate_additional_dataupdatefinalizetagrA) r&rrrrxesn_enesnrBraadrvrs r'rzCryptAlgo.encrypts  (, ;t}}!H&&(( ; I***GGGC| ?? +fcgsCGDDCC +eSWcg>>C$ I;$+--![[[BBFF![[--F9//&..#sSV|d?R"S"SSDD!>>'4==DDg66",,.. <I::3???$++D11I4F4F4H4HHDIM)8)44DD$++D11I4F4F4H4HHDswCG#&4-@@@@r)c v||jr|jnd}|jd|j}|j|jt |j|z }|jt |j|z d} |jr|||} d} |jrD|r"tjd|j ||j } n tjd|j |j } |j r|jtj kr|||} n||} |jdkr!|| | | | |z|zz}n| | || z| }n#t $r} t#| d} ~ wwxYw||| | } | }|jr||  |||z}n!#t $r} t#| d} ~ wwxYwt/|d}t/|d }|t ||z d z t |d z }|dt ||z d z }t1|j |j |||||| S) a Decrypt an ESP packet :param sa: the SecurityAssociation associated with the ESP packet. :param esp: an encrypted ESP packet :param key: the secret key used for encryption :param icv_size: the length of the icv used for integrity check :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit when using an AEAD algorithm :param esn: extended sequence number (32 MSB) :returns: a valid ESP packet encrypted with this algorithm :raise scapy.layers.ipsec.IPSecIntegrityError: if the integrity check fails with an AEAD algorithm Nr)rrZrrrrr)r,r-rZrBr0r\r*r.)ryrxrBrrErvrrFr_r,r-rzrcr~r:decryptraIPSecIntegrityErrorr decryptorrrrrrY)r&rrrrxrrrZrBr.rrrverrrr\r*r0s r'rzCryptAlgo.decrypts  (, ;t}}!H Xmt|m $x S]]X%==>hs38}}x/001 ; 3**bR*88GC| ?? +fcgsCGDDCC +eSWcg>>C$ 3;$+--![[[BBFF![[--F3yO33#fnnWc38d?&S&SS%~~gtcz3GG!333-c2223gs;;",,.. <@::3???3$++D11I4F4F4H4HHDD!333-c2223T"X b]]s4yy6)A-s4yy1}<=+SYY'!++,SW W"!( & """ "s1*AE11 F;F  F*H H#HH#)NNNNNNrONFr) r6r7r8r9rrrrrrrrr2r)r'rmrmsEINRB2B2B2B2H777(((2!!!F0A0A0A0AdH"H"H"H"H"H"r)rmNULL)rvrwrzAES-CBC)rvrwc |j|zdzS)Ns crypt_saltrrZrus r'r4r4s2=23EH[3[r)zAES-CTRr"ror#)rvrwrrrrc |j|zSrOrrs r'r4r4s  0Br)zAES-GCM) r)rvrrwrrrrxrrzAES-CCM)rvrwrrrrrxrzCHACHA20-POLY1305rDES)ro)rvrwr3DES)CryptographyDeprecationWarningignore)categoryCASTBlowfish)HMAC)CMAC)hashesceZdZdZdS)rz5 Error risen when the integrity check fails. N)r6r7r8r9r2r)r'rrjs Dr)rcFeZdZdZd dZdZedZd dZd d Z dS) AuthAlgoz# IPsec integrity algorithm NcL||_||_||_||_||_dS)a :param name: the name of this integrity algorithm :param mac: a Message Authentication Code module :param digestmod: a Hash or Cipher module :param icv_size: the length of the integrity check value of this algo :param key_size: an integer or list/tuple of integers. If specified, force the secret keys length to one of the values. Defaults to the `key_size` of the cipher. N)r:mac digestmodrxr)r&r:rrrxrs r'rzAuthAlgo.__init__vs+ "    r)c|jr=t||jvr)tdt|d|jdSdS)rrz, must be one of Nrrs r'rzAuthAlgo.check_keys\ = 7SXXT]::) XXXXt}}677 7 7 7::r)c|jtur5|||tS|||tS)zn :param key: a byte string :returns: an initialized mac object for this algo )rrrrbrs r'new_maczAuthAlgo.new_macs] 8t  88DNN3//1B1BCC C88C!1!1?3D3DEE Er)Frc |js|S||}|tr|t |t|r(|t jd||txj| d|j z c_n|tr|t t| d|r(|t jd|| d|j |t_|S)a Sign an IPsec (ESP or AH) packet with this algo. :param pkt: a packet that contains a valid encrypted ESP or AH layer :param key: the authentication key, a byte string :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit :param esn: extended sequence number (32 MSB) :returns: the signed packet !LNTsending)rrhaslayerrArbytesrFr_rBrrxr zero_mutable_fieldscopyr.)r&pktrrrrs r'signz AuthAlgo.signs0x Jll3 <<   9 JJuSX ' ' ' 3 6;tS11222 HMMS\\^^NT]N; ;MMM \\"   9 JJu0TJJJKK L L L 3 6;tS11222,,..$-8CGK r)c|jr |jdkrdS||}d}t|tr|jt |j|jz d}|}|jdt |j|jz |_|t||r(|tj d|n"| trt |tj|jkr^|tj|jd|t_|tjd|j|t_|tj}t!|d}|t||r(|tj d||d|j}||krt%d|d|dS) a Check that the integrity check value (icv) of a packet is valid. :param pkt: a packet that contains a valid encrypted ESP or AH layer :param key: the authentication key, a byte string :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit :param esn: extended sequence number (32 MSB) :raise scapy.layers.ipsec.IPSecIntegrityError: if the integrity check fails rNz not foundrFrzpkt_icv=z, computed_icv=)rrxr isinstancerArBrErrrrFr_rr r.r0rrr) r&rrrrrpkt_icvclone computed_icvs r'verifyzAuthAlgo.verifysx 4=A-- Fll3 c3   3hs38}}t}<==>GHHJJE$DS__t}%D$DEEJ JJuU|| $ $ $ 3 6;tS11222 \\"   33r7;4=00"%b'+dmnn"=B!"gk.4=.9B "gkG' EBBBE JJuU|| $ $ $ 3 6;tS11222||~~nt}n5  l " "%%'.ww '>?? ? # "r)rO)Fr) r6r7r8r9rrrrrrr2r)r'rrqs!!!! 777FFFB.?.?.?.?.?.?r)r)rrrxz HMAC-SHA1-96 z SHA2-256-128z SHA2-384-192rz SHA2-512-256z HMAC-MD5-96z AES-CMAC-96)r)rrrxrcD|t|}|j}d}|jdkr+|j}||_||`|`|||fSd}|}t|tttfrqt|tr t|trd}nt|tr|rn+|}|j}t|tttfq|j }||_ ||` |||fS)a Split an IP(v6) packet in the correct location to insert an ESP or AH header. :param orig_pkt: the packet to split. Must be an IP or IPv6 packet :param transport_proto: the IPsec protocol number that will be inserted at the split position. :returns: a tuple (header, nh, payload) where nh is the protocol number of payload. Nr#FT) __class__rpayloadversionr5remove_payloadchksumrErrrrr*plen)orig_pkttransport_protoheadernext_hdrr* found_rt_hdrprevs r'split_for_transportrsA  H . .F~H B ~ \&  M Jr8## $68IK\#]^^ (($677 ($566 # H&788 \ D'H$68IK\#]^^ (W!  Kr8##r))rr"rFc |tr3dt|tjz|t_nt d|jdkrd|_d|_d|_d|_ g}|j D]X}|j tvr| |&| tdt|zY||_ nd|_d|_d|_|j}t'|t(t*t,frt'|t(t,fr$|j D]}|jdzrd|jz|_ngt'|t*rQ|rOd|_|jr@|j}|jd|j||_nn)|j}t'|t(t*t,f|S)aJ When using AH, all "mutable" fields must be "zeroed" before calculating the ICV. See RFC 4302, Section 3.3.3.1. Handling Mutable Fields. :param pkt: an IP(v6) packet containing an AH layer. NOTE: The packet will be modified :param sending: if true, ipv6 routing headers will not be reordered zno AH layer foundr#rr)rr rEr.rrtosflagsttlroptionsoptionIMMUTABLE_IPV4_OPTIONSappendrtcflhlimrrrrrotypeoptlenoptdatasegleft addressespopinsertdst)rrimmutable_optsoptrfinals r'rrTs ||B-CGK 0 00B +,,, {a  ; ? ?Cz333%%c****%%c'CHH*<&=&=>>>>$ ;$68IK\#]^^ ((%79J$KLL #+;;Cy4';&- &: ;H&788 W $% %$$.2244E&--a999#CG'H#$68IK\#]^^ (& Jr)c`eZdZdZeefZ ddZdZddZ dd Z dd Z dd Z dd Z ddZdS)SecurityAssociationzd This class is responsible of "encryption" and "decryption" of IPsec packets. # noqa: E501 r"NFrc |tttjtjhvrtdt |t r0tjttjti||_n||_||_||_| |_ | |_ |r|tvr'td|dttt||_|rK|jj} |dt!|| z |_|t!|| z d|_n/d|_d|_n td|_d|_d|_||_|rJ|t(vr'td|dtt(t(||_||_nt(d|_d|_| rEt | t.t0fs)tdt.jdt0j| |_| rI|turtd t | t4std t4jz| |_dS) a` :param proto: the IPsec proto to use (ESP or AH) :param spi: the Security Parameters Index of this SA :param seq_num: the initial value for the sequence number on encrypted packets :param crypt_algo: the encryption algorithm name (only used with ESP) :param crypt_key: the encryption key (only used with ESP) :param crypt_icv_size: change the default size of the crypt_algo (only used with ESP) :param auth_algo: the integrity algorithm name :param auth_key: the integrity key :param tunnel_header: an instance of a IP(v6) header that will be used to encapsulate the encrypted packets. :param nat_t_header: an instance of a UDP header that will be used for NAT-Traversal. :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit when using an AEAD algorithm :param esn: extended sequence number (32 MSB) zproto must be either ESP or AHzunsupported encryption algo z, try Nrzunsupported integrity algo ztunnel_header must be z or z%nat_t_header is only allowed with ESPznat_t_header must be %s)rAr r:rrstrr5r,seq_numrr CRYPT_ALGOSrlist crypt_algorrE crypt_keyrcrypt_icv_size AUTH_ALGOS auth_algoauth_keyrr tunnel_headerr nat_t_header)r&r5r,rrrrrrr r!rrrs r'rzSecurityAssociation.__init__sU2 b#(BG4 4 4=>> > eS ! ! (C"5e->->!@AAA)*5DO ' O5 !*+FC NNY,F+F!G"+C NNY,F,G,G"H!%"&*&1DO!DN"DO,  ! **i!*D,<,<,<!>???' 2DN$DMM'/DN DM  UMB:!F!F U)STT T*  FC GHHHlC00 F 9CH DEEE(r)cb|j|jkrtd|j|jfzdS)Nz.packet spi=0x%x does not match the SA spi=0x%x)r,r)r&rs r' check_spizSecurityAssociation.check_spis? 7dh  L Wdh/011 1  r)c ||j}n9t||jjkrt d|jjzt |j|p|j|}|jrT|j }|j dkr|` |`|` n|` |`|t!||z }t#|t$j\}} } | |_| |_ |j|}|j|||j|j|p|j|p|j}|j||j|p|j|p|j|jr7|j } d| _ | `|j dkr|` n|` || z}|j dkr|`|` n|`||xjdz c_|t!||z S)Nziv length must be %s)r,r-rZr#rrrr")rrrErrrYr,rr rrr5rr*rrrrr=rQrBrrrrrrrrrr!) r&rrrZrrrtunnel ip_headerr*rr!s r' _encrypt_espz SecurityAssociation._encrypt_esps- :,,..BB2ww$/111 69P PQQQDH'*AT\bIII   6',,..F~""LJMMIK""3v|#4#455C!4S&:L!M!M 2wo!!#&&o%%dC&*&9-3-Bt{*-/&;; C M#)#8T[ #tx  1 1 1   &,1133L"#L   A%%OOL  %I   ! !    ? LLA LL""3y3#7#7888r)c8t|j|p|jd|jjz}|jrT|j}|jdkr|`|` |` n|` |` | t||z }t|t j\}}} ||_ |jdkr2t|dzdkrdt| dzz|_n1t|dzdkrdt| dzz|_t|dzdz |_|jdkrYt|t|zt| z|_ |` | t|}n9t|jt|zt| z|_ |j||z | z |j|p|j|p|j} ||xjd z c_| S) Nr)r,r-r.r#rrorrr%r")r r,rrrxr rrr5rErr*rrrrr=r>r0r$rrrrr) r&rrrrahr&r'r*r signed_pkts r' _encrypt_ahzSecurityAssociation._encrypt_ah2s DH'"9T\dn55777   6',,..F~""LJMMIK""3v|#4#455C!4S&:K!L!L 2w   ! !c"ggkQ&6&6!SWWHqL1BJJ WWq[A  !SWWHqL1BJ B1 q(   ! ! NNSWW4s7||CIM !++C NN;;II !233c"gg=G LIN^((R')A)-060E$+-0_DH)>> ? LLA LLr)ct||jstd|jd|j|jt ur||||||S|||||S)a Encrypt (and encapsulate) an IP(v6) packet with ESP or AH according to this SecurityAssociation. :param pkt: the packet to encrypt :param seq_num: if specified, use this sequence number instead of the generated one :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit when using an AEAD algorithm :param esn: extended sequence number (32 MSB) :param iv: if specified, use this initialization vector for encryption instead of a random one. :returns: the encrypted/encapsulated packet zcannot encrypt , supported protos are )rrZrr)rrr)rSUPPORTED_PROTOSrrr5rAr(r,)r&rrrZrrs r'rzSecurityAssociation.encryptgs"#t455 F)"}}}d.C.CEFF F :  $$S'(*6),%.. .##C+1s$<< 4;&)oTX " 7 7 7o%%dIt~&*&9'>&*o&>'>&*n&=-3-Bt{*-/ &;;  " -    {aF ))#(33C3sx== I A%%"%& $((*** #ISX > %//I?? $:#&6IL,,.....1fI(+(77999!$Y%6!7!7#ch--!G //99Css38}}, ,r)c|rF|||j||j|p|j|p|j|t }|j}|d|j r|S|}|j dkri|j |_ |` |t|t|z|_|t#|}nS|j |j_ |jt|jt|z|_||z Sr1)r#rrrrrr rremove_underlayerr rr*r5rrrErrr3r)r&rrrrr*rr's r' _decrypt_ahzSecurityAssociation._decrypt_ahs;  7 NN3    N ! !#t})/)>4;&)oTX " 7 7 7W*!!$'''   'NI A%%"$% $((*** #IW = %//I?? #%5   ,,...!$Y%6!7!7#g,,!F w& &r)ct||jstd|jd|j|jt ur3|t r|||||S|jtur3|tr| ||||St|d|jj d)aY Decrypt (and decapsulate) an IP(v6) packet containing ESP or AH. :param pkt: the packet to decrypt :param verify: if False, do not perform the integrity check :param esn_en: extended sequence number enable which allows to use 64-bit sequence number instead of 32-bit when using an AEAD algorithm :param esn: extended sequence number (32 MSB) :returns: the decrypted/decapsulated packet :raise scapy.layers.ipsec.IPSecIntegrityError: if the integrity check fails zcannot decrypt r.)rrrz has no z layer) rr/rrr5rArr5r r8r:)r&rrrrs r'rzSecurityAssociation.decrypts#t455 F)"}}}d.C.CEFF F :  c!2!2 $$S,2%== = Z2  #,,r"2"2 ##Cv3#OO OCCCIJJ Jr)) r"NNNNNNNFr)NNNNr)TNN)r6r7r8r9rrr/rr#r(r,rr5r8rr2r)r'rrsDzIM $*.JKL)L)L)L)\111 :9:9:9:9x3333j<<<<83-3-3-3-j''''@KKKKKKr)r)F)hr9mathr ImportError fractionsrr=rFwarnings scapy.configrr scapy.compatrr scapy.datar scapy.errorr scapy.fieldsr r r r rrrrrr scapy.packetrrrrrscapy.layers.inetrrscapy.layers.inet6rrrrr r> IPPROTO_IP IPPROTO_IPV6rArHrIrQrY crypto_validcryptography.exceptionsracryptography.hazmat.backendsrb&cryptography.hazmat.primitives.ciphersrcrdrerf$cryptography.hazmat.decrepit.ciphersdecrepit_algorithmsinfo ExceptionrkobjectrmrAESCBC_aes_ctr_format_mode_ivCTR_salt_format_mode_ivr}r~r TripleDEScryptography.utilsrcatch_warningsfilterwarningsCAST5r#cryptography.hazmat.primitives.hmacr#cryptography.hazmat.primitives.cmacrcryptography.hazmat.primitivesrrrrSHA1SHA256SHA384SHA512MD5rrrrr2r)r'rcs  6 ////////!!!!!!!! ######                        &%%%%%%% %%%%%%%%P B&+,,,, D"*++++ Bv()))) B,---- &Df F  B6-.... D#&,----sCt$$$$sCt$$$$ c3d$//// c7$d3333 c=D9999 WWWWWWWW0'222222<<<<<< )        )))()KABBBOJ"&&F&Z% '''R"R"R"R"R"R"R"R"t IIfTa @ @ @ P<&Yy.8n,1I777K \[&Yy.8n,1I23/0126M OOOK CB&Yy.2k0<,01223/0026JLLLK $-9_48K6B2678895668+H).444Kj((EEEEEE $X $ & & @ @ #H #H-K M M M M"+)F3F3L16#<#<#2427 !9!9!9J}.$.$.$fCCCCPTKTKTKTKTK&TKTKTKTKTKs1 #F**F43F46A M  MM