First packet follows check needs pubkey guess

ejohnstown · ejohnstown · commit 0765095dcfb1 · 2026-04-16T14:09:49.000-07:00
When processing the KEX Init message, also stash a guess for the peer's
public key algorithm. When checking first_packet_follows when handling
the KEX Dh Init message, need to check both KEX and public key guesses.

Affected functions: DoKexInit, DoKexDhInit.
Issue: F-1686
diff --git a/src/internal.c b/src/internal.c
@@ -4350,6 +4350,7 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
         }
     }
     if (ret == WS_SUCCESS) {
+        ssh->handshake->pubKeyIdGuess = list[0];
         algoId = MatchIdLists(side, list, listSz, cannedList, cannedListSz);
         if (algoId == ID_UNKNOWN) {
             WLOG(WS_LOG_DEBUG, "Unable to negotiate Server Host Key Algo");
@@ -4816,7 +4817,8 @@ static int DoKexDhInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
 
     if (ret == WS_SUCCESS) {
         if (ssh->handshake->kexPacketFollows
-                && ssh->handshake->kexIdGuess != ssh->handshake->kexId) {
+            && (ssh->handshake->kexIdGuess != ssh->handshake->kexId ||
+                ssh->handshake->pubKeyIdGuess != ssh->handshake->pubKeyId)) {
 
             /* skip this message. */
             WLOG(WS_LOG_DEBUG, "Skipping the client's KEX init function.");
diff --git a/wolfssh/internal.h b/wolfssh/internal.h
@@ -628,6 +628,7 @@ typedef struct HandshakeInfo {
     byte kexIdGuess;
     byte kexHashId;
     byte pubKeyId;
+    byte pubKeyIdGuess;
     byte encryptId;
     byte macId;
     byte kexPacketFollows;
