First packet follows check needs pubkey guess

When processing the KEX Init message, stash guesses for the peer's
KEX and public key algorithms. When reading first_packet_follows, if set
check the guesses and set the handshake info flag ignoreNextKexMsg. When
processing the KexDhInit message, check that flag.

Affected functions: DoKexInit, DoKexDhInit.
Issue: F-1686

Author: ejohnstown

src/internal.c

@@ -571,6 +571,7 @@ static HandshakeInfo* HandshakeInfoNew(void* heap)
                                     heap, DYNTYPE_HS);
     if (newHs != NULL) {
         WMEMSET(newHs, 0, sizeof(HandshakeInfo));
+        newHs->expectMsgId = MSGID_NONE;
         newHs->kexId = ID_NONE;
         newHs->kexHashId = WC_HASH_TYPE_NONE;
         newHs->pubKeyId  = ID_NONE;
@@ -4238,6 +4239,9 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
     byte algoId;
     byte list[24] = {ID_NONE};
     byte cannedList[24] = {ID_NONE};
+    byte kexIdGuess = ID_NONE;
+    byte pubKeyIdGuess = ID_NONE;
+    byte kexPacketFollows = 0;
     word32 listSz;
     word32 cannedListSz;
     word32 cannedAlgoNamesSz;
@@ -4309,7 +4313,7 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
                 (const byte*)ssh->algoListKex, cannedAlgoNamesSz);
     }
     if (ret == WS_SUCCESS) {
-        ssh->handshake->kexIdGuess = list[0];
+        kexIdGuess = list[0];
         algoId = MatchIdLists(side, list, listSz,
                 cannedList, cannedListSz);
         if (algoId == ID_UNKNOWN) {
@@ -4354,6 +4358,7 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
         }
     }
     if (ret == WS_SUCCESS) {
+        pubKeyIdGuess = list[0];
         algoId = MatchIdLists(side, list, listSz, cannedList, cannedListSz);
         if (algoId == ID_UNKNOWN) {
             WLOG(WS_LOG_DEBUG, "Unable to negotiate Server Host Key Algo");
@@ -4511,10 +4516,15 @@ static int DoKexInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
     /* First KEX Packet Follows */
     if (ret == WS_SUCCESS) {
         WLOG(WS_LOG_DEBUG, "DKI: KEX Packet Follows");
-        ret = GetBoolean(&ssh->handshake->kexPacketFollows, buf, len, &begin);
+        ret = GetBoolean(&kexPacketFollows, buf, len, &begin);
         if (ret == WS_SUCCESS) {
             WLOG(WS_LOG_DEBUG, " packet follows: %s",
-                    ssh->handshake->kexPacketFollows ? "yes" : "no");
+                    kexPacketFollows ? "yes" : "no");
+            if (kexPacketFollows
+                    && (kexIdGuess != ssh->handshake->kexId
+                        || pubKeyIdGuess != ssh->handshake->pubKeyId)) {
+                ssh->handshake->ignoreNextKexMsg = 1;
+            }
         }
     }
 
@@ -4819,12 +4829,11 @@ static int DoKexDhInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
         ret = WS_BAD_ARGUMENT;
 
     if (ret == WS_SUCCESS) {
-        if (ssh->handshake->kexPacketFollows
-                && ssh->handshake->kexIdGuess != ssh->handshake->kexId) {
-
+        if (ssh->handshake->ignoreNextKexMsg) {
             /* skip this message. */
-            WLOG(WS_LOG_DEBUG, "Skipping the client's KEX init function.");
-            ssh->handshake->kexPacketFollows = 0;
+            WLOG(WS_LOG_DEBUG, "Skipping client's KEXDH_INIT message due to "
+                               "first_packet_follows guess mismatch.");
+            ssh->handshake->ignoreNextKexMsg = 0;
             *idx += len;
             return WS_SUCCESS;
         }

wolfssh/internal.h

@@ -628,12 +628,10 @@ typedef struct Keys {
 typedef struct HandshakeInfo {
     byte expectMsgId;
     byte kexId;
-    byte kexIdGuess;
     byte kexHashId;
     byte pubKeyId;
     byte encryptId;
     byte macId;
-    byte kexPacketFollows;
     byte aeadMode;
 
     byte blockSz;
@@ -660,6 +658,7 @@ typedef struct HandshakeInfo {
     word32 generatorSz;
 #endif
 
+    byte ignoreNextKexMsg:1;
     byte useDh:1;
     byte useEcc:1;
     byte useEccMlKem:1;