From 0b2885c8c0d4467cfe98136748a9d011d0b8fff0 Mon Sep 17 00:00:00 2001
From: Rod Hynes <rod-hynes@users.noreply.github.com>
Date: Tue, 13 Jul 2021 12:56:36 -0400
Subject: [PATCH] Backport fix for CVE-2021-34558 (#80)

See: https://groups.google.com/g/golang-dev/c/5LJ2V7rd-Ag/m/YGLHVBZ6AAAJ
---
 key_agreement.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/key_agreement.go b/key_agreement.go
index 488401d0..f8526183 100644
--- a/key_agreement.go
+++ b/key_agreement.go
@@ -69,7 +69,11 @@ func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello
 		return nil, nil, err
 	}
 
-	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
+	rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
+	if !ok {
+		return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
+	}
+	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
 	if err != nil {
 		return nil, nil, err
 	}