[EMAIL PROTECTED] (Niels Möller) writes:
> "Joseph Galbraith" <[EMAIL PROTECTED]> writes:
>
> > In our configuration of lsh, the lsh client send
> > "hmac-sha1,hmac-md5"
> >
> > Our server sends "hmac-md5,hmac-sha1,none".
> >
> > In this case, lsh is electing to go with
> > hmac-md5, which I believe is incorrect.
>
> [...]
>
> > It appears that the first algorithm on the client's (lsh, in this case)
> > list should be chosen, which would result in "hmac-sha1" being used.
>
> It definitely should. Thanks for the bug report.
Here's a patch that you can try out; the first hunk is the important
one, the rest is cosmetics.
diff -u -a -r1.71 keyexchange.c
--- keyexchange.c 2000/09/14 23:44:40 1.71
+++ keyexchange.c 2000/10/01 18:57:49
@@ -178,11 +178,11 @@
}
static int
-select_algorithm(struct int_list *server_list,
- struct int_list *client_list)
+select_algorithm(struct int_list *client_list,
+ struct int_list *server_list)
{
/* FIXME: This quadratic complexity algorithm should do as long as
- * the lists are short. To avoid DOS-attacks, ther should probably
+ * the lists are short. To avoid DOS-attacks, there should probably
* be some limit on the list lengths. */
unsigned i, j;
@@ -272,11 +272,13 @@
/* Select key exchange algorithms */
/* FIXME: Look at the hostkey algorithm as well. */
- if (LIST(connection->kexinits[0]->kex_algorithms)[0]
- == LIST(connection->kexinits[1]->kex_algorithms)[0])
+ if (LIST(connection->kexinits[CONNECTION_CLIENT]->kex_algorithms)[0]
+ == LIST(connection->kexinits[CONNECTION_SERVER]->kex_algorithms)[0])
{
/* Use this algorithm */
- kex_algorithm_atom = LIST(connection->kexinits[0]->kex_algorithms)[0];
+ kex_algorithm_atom
+ = LIST(connection->kexinits[CONNECTION_CLIENT]->kex_algorithms)[0];
+
connection->kex_state = KEX_STATE_IN_PROGRESS;
}
else
@@ -291,8 +293,8 @@
* certain features of the host key algorithms. */
kex_algorithm_atom
- = select_algorithm(connection->kexinits[0]->kex_algorithms,
- connection->kexinits[1]->kex_algorithms);
+ = select_algorithm(connection->kexinits[CONNECTION_CLIENT]->kex_algorithms,
+ connection->kexinits[CONNECTION_SERVER]->kex_algorithms);
/* FIXME: This is actually ok for SRP. */
if (!kex_algorithm_atom)
@@ -304,8 +306,8 @@
}
hostkey_algorithm_atom
- = select_algorithm(connection->kexinits[0]->server_hostkey_algorithms,
- connection->kexinits[1]->server_hostkey_algorithms);
+ =
+select_algorithm(connection->kexinits[CONNECTION_CLIENT]->server_hostkey_algorithms,
+
+connection->kexinits[CONNECTION_SERVER]->server_hostkey_algorithms);
if (!hostkey_algorithm_atom)
{
@@ -320,8 +322,8 @@
for(i = 0; i<KEX_PARAMETERS; i++)
{
parameters[i]
- = select_algorithm(connection->kexinits[0]->parameters[i],
- connection->kexinits[1]->parameters[i]);
+ = select_algorithm(connection->kexinits[CONNECTION_CLIENT]->parameters[i],
+ connection->kexinits[CONNECTION_SERVER]->parameters[i]);
if (!parameters[i])
{
