Address code review feedback: add MAC size constants and clarify comments

Copilot · guedou · Copilot · commit 3ddcd1858843 · 2026-02-14T13:02:55.000Z
- Define named constants for MAC sizes (_NTP_AUTH_MD5_SIZE, _NTP_AUTH_SHA1_SIZE, etc.)
- Update _ntp_auth_tail_size() to use constants instead of hardcoded values
- Clarify test comments to explain SHA1 vs MD5 parsing interpretation

Co-authored-by: guedou &lt;11683796+guedou@users.noreply.github.com&gt;
diff --git a/scapy/layers/ntp.py b/scapy/layers/ntp.py
@@ -58,6 +58,14 @@
 _NTP_HDR_WITH_EXT_MIN_SIZE = _NTP_AUTH_MD5_MIN_SIZE + _NTP_EXT_MIN_SIZE
 _NTP_AUTH_MD5_TAIL_SIZE = 20
 _NTP_AUTH_MD5_DGST_SIZE = 16
+
+# Valid NTP MAC sizes (key_id + digest)
+_NTP_AUTH_MD5_SIZE = 20      # 4 + 16
+_NTP_AUTH_SHA1_SIZE = 24     # 4 + 20
+_NTP_AUTH_SHA256_SIZE = 36   # 4 + 32
+_NTP_AUTH_SHA384_SIZE = 52   # 4 + 48
+_NTP_AUTH_SHA512_SIZE = 68   # 4 + 64
+
 _NTP_PRIVATE_PACKET_MIN_SIZE = 8
 
 # ntpd "Private" messages are the shortest
@@ -82,17 +90,23 @@ def _ntp_auth_tail_size(length):
     """
     Dynamically compute the NTP authenticator tail size (key_id + digest).
     
-    Valid MAC sizes are: 20, 24, 36, 52, 68 bytes (4-byte key_id + digest)
-    - 20 bytes: MD5 (4 + 16)
-    - 24 bytes: SHA1 (4 + 20)
-    - 36 bytes: SHA256 (4 + 32)
-    - 52 bytes: SHA384 (4 + 48)
-    - 68 bytes: SHA512 (4 + 64)
+    Valid MAC sizes are defined as constants:
+    - _NTP_AUTH_MD5_SIZE (20): MD5 (4 + 16)
+    - _NTP_AUTH_SHA1_SIZE (24): SHA1 (4 + 20)
+    - _NTP_AUTH_SHA256_SIZE (36): SHA256 (4 + 32)
+    - _NTP_AUTH_SHA384_SIZE (52): SHA384 (4 + 48)
+    - _NTP_AUTH_SHA512_SIZE (68): SHA512 (4 + 64)
     
     Returns the tail size if it matches a known valid size, otherwise 
     returns _NTP_AUTH_MD5_TAIL_SIZE as a fallback.
     """
-    valid_mac_sizes = [20, 24, 36, 52, 68]
+    valid_mac_sizes = [
+        _NTP_AUTH_MD5_SIZE,
+        _NTP_AUTH_SHA1_SIZE,
+        _NTP_AUTH_SHA256_SIZE,
+        _NTP_AUTH_SHA384_SIZE,
+        _NTP_AUTH_SHA512_SIZE
+    ]
     # Check for exact match with a known MAC size
     if length in valid_mac_sizes:
         return length
diff --git a/test/scapy/layers/ntp.uts b/test/scapy/layers/ntp.uts
@@ -106,8 +106,10 @@ assert p.stratum == 2
 = NTPAuthenticator - MD5 with padding (old test, updated for correct parsing)
 
 # This packet has 24 bytes of authenticator data
-# With the old (broken) code, it was parsed as: 4 padding + 4 key_id + 16 MD5 digest
-# With the new (correct) code, it should be parsed as: 4 key_id + 20 SHA1 digest  
+# The old (incorrect) code interpreted this as: 4 padding + 4 key_id + 16 MD5 digest  
+# The new (correct) code interprets 24 bytes as SHA1 MAC: 4 key_id + 20 SHA1 digest
+# Note: This test packet may have been created with MD5 intent, but with 24 bytes
+# total, it's now correctly parsed as SHA1 according to RFC 5905 standards
 s = hex_bytes("000c2962f268d094666d23750800450000640db640004011a519c0a80364c0a80305a51e007b0050731a2300072000000000000000000000000000000000000000000000000000000000000000000000000052c7bc1dda64b97d0000000bcdc3825dbf6b7ad02886ff45aa8b2eaf7ac78bc1")
 p = Ether(s)
 assert NTPAuthenticator in p
