Fix NTP Authenticator parsing for non-MD5 digest types

[Copilot]

NTP Authenticator fields were hardcoded to MD5's 16-byte digest size, causing misaligned parsing for SHA1/SHA256/SHA384/SHA512. The _NTPAuthenticatorPaddingField assumed a fixed 20-byte tail (4-byte key_id + 16-byte MD5), incorrectly consuming digest bytes as padding for larger hash types.

Changes

Core Implementation:

• Added _ntp_auth_tail_size() helper to compute tail size dynamically against valid MAC sizes (20/24/36/52/68 bytes)
• Changed NTPAuthenticator.dgst from XStrFixedLenField(length=16) to XStrField to consume all remaining bytes after key_id
• Updated _NTPAuthenticatorPaddingField.getfield() and NTPExtPacketListField.getfield() to use dynamic tail detection
• Added SHA384 (48-byte digest) to NTPHeader.guess_payload_class()
• Defined named constants for MAC sizes (_NTP_AUTH_SHA1_SIZE, _NTP_AUTH_SHA256_SIZE, etc.)

Tests:

• Added SHA1 (24-byte) and SHA256 (36-byte) authenticator parsing with round-trip verification
• Updated existing tests to reflect correct parsing (24-byte payloads now parse as SHA1, not padded MD5)

Example

# SHA1 authenticator (4 key_id + 20 digest = 24 bytes)
ntp_pkt = b"..." + b"\x00\x00\x00\x02" + b"\x11\x22..." # 20 bytes SHA1 digest
p = NTP(ntp_pkt)
assert p[NTPAuthenticator].key_id == 2
assert len(p[NTPAuthenticator].dgst) == 20  # Previously: 16 (incorrect)

# SHA256 authenticator (4 key_id + 32 digest = 36 bytes)
sha256_pkt = b"..." + b"\x00\x00\x00\x03" + b"\xaa\xbb..." # 32 bytes SHA256 digest
p = NTP(sha256_pkt)
assert len(p[NTPAuthenticator].dgst) == 32  # Previously: 16 (incorrect)

Original prompt

The PR #4917 addresses an issue with NTP Authenticator parsing in the Scapy project. The problem arises because the NTP Authenticator fields were hardcoded to MD5's 16-byte digest size, leading to misaligned parsing for other digest types such as SHA1, SHA256, SHA384, and SHA512. Specifically, the _NTPAuthenticatorPaddingField wrongly assumed a 20-byte tail (4 key_id + 16 MD5 digest). For instance, in the case of SHA1 (24 bytes total), the first 4 bytes of the digest were wrongly consumed as padding, causing incorrect parsing of fields like key_id and dgst.

Required Fixes:

1. Update _NTPAuthenticatorPaddingField to compute the tail size dynamically by matching against known valid MAC sizes (20/24/36/52/68) instead of using a hardcoded value _NTP_AUTH_MD5_TAIL_SIZE.
2. Update NTPAuthenticator.dgst to replace XStrFixedLenField with XStrField to ensure it consumes all remaining bytes after the key_id.
3. Modify NTPExtPacketListField.getfield() to implement dynamic tail size detection when separating extensions from the MAC.
4. Update NTPHeader.guess_payload_class() to include the recognized SHA384 (48-byte) digest size.
5. Update NTPExtensions so that _NTPAuthenticatorPaddingField uses dynamic size calculation by adding a new _ntp_auth_tail_size() helper.

Testing:

You should also add test cases to verify the correct parsing and round-trip build/parse of SHA1 (24-byte) and SHA256 (36-byte) NTP authenticators.

Commit these changes to the secdev/scapy repository on the copilot/check-oldest-issues branch. Retain the existing PR title and description, and include a message summarizing the new implementation and tests.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codecov]

Codecov Report

❌ Patch coverage is 70.58824% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.63%. Comparing base (ded1d73) to head (3ddcd18).

Files with missing lines	Patch %	Lines
scapy/layers/ntp.py	70.58%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4918      +/-   ##
==========================================
+ Coverage   80.10%   80.63%   +0.53%     
==========================================
  Files         370      370              
  Lines       91727    91739      +12     
==========================================
+ Hits        73477    73973     +496     
+ Misses      18250    17766     -484     

Files with missing lines	Coverage Δ
scapy/layers/ntp.py	86.60% <70.58%> (-1.05%)	⬇️

... and 21 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.