crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters (CVE-2021-34558)

[FiloSottile]

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

Thanks to Imre Rad for reporting this issue.
This issue is CVE-2021-34558.

[FiloSottile]

@gopherbot please file backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #47144 (for 1.15), #47145 (for 1.16).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/334030 mentions this issue: [release-branch.go1.15] crypto/tls: test key type when casting

[gopherbot]

Change https://golang.org/cl/334029 mentions this issue: [release-branch.go1.16] crypto/tls: test key type when casting

[gopherbot]

Change https://golang.org/cl/334031 mentions this issue: crypto/tls: test key type when casting