I download the SharpSSH v1.1.1.13 source code last week. I use DotNet Framework 4.0 and was following coments on the CodeProject site for removing the dependency on the Mentalis Security library written for DotNet 1.x. I found 2 "new" places to make changes, in the HMACMD596 and HMACSHA196 classes, but one of them seems wrong. I couldn't find anything in previous bug reports to say anyone had questioned this before, so here goes.
In Tamir.SharpSsh.jsch.jce.HMACSHA196.init(byte[] key) method, the method name, constant name, and the comments all reference using SHA1-96 algorithm, but the code has:
mentalis_mac = new Org.Mentalis.Security.Cryptography.HMAC(new System.Security.Cryptography.MD5CryptoServiceProvider(), key);
which is using the MD5 algorithm.
Is that correct?