Improve anon suites

5 files changed, 30 insertions, 7 deletions

diff --git a/crypto/src/tls/DefaultTlsServer.cs b/crypto/src/tls/DefaultTlsServer.cs

index edab24b71..2df6c37eb 100644
--- a/crypto/src/tls/DefaultTlsServer.cs
+++ b/crypto/src/tls/DefaultTlsServer.cs
@@ -85,10 +85,6 @@ namespace Org.BouncyCastle.Tls
             case KeyExchangeAlgorithm.DHE_DSS:
                 return GetDsaSignerCredentials();
 
-            case KeyExchangeAlgorithm.DH_anon:
-            case KeyExchangeAlgorithm.ECDH_anon:
-                return null;
-
             case KeyExchangeAlgorithm.ECDHE_ECDSA:
                 return GetECDsaSignerCredentials();
 
diff --git a/crypto/src/tls/DtlsServerProtocol.cs b/crypto/src/tls/DtlsServerProtocol.cs

index c019eb9fb..b01c6e34f 100644
--- a/crypto/src/tls/DtlsServerProtocol.cs
+++ b/crypto/src/tls/DtlsServerProtocol.cs
@@ -155,7 +155,13 @@ namespace Org.BouncyCastle.Tls
             }
 
             state.keyExchange = TlsUtilities.InitKeyExchangeServer(state.serverContext, state.server);
-            state.serverCredentials = TlsUtilities.EstablishServerCredentials(state.server);
+
+            state.serverCredentials = null;
+
+            if (!KeyExchangeAlgorithm.IsAnonymous(securityParameters.KeyExchangeAlgorithm))
+            {
+                state.serverCredentials = TlsUtilities.EstablishServerCredentials(state.server);
+            }
 
             // Server certificate
             {
diff --git a/crypto/src/tls/KeyExchangeAlgorithm.cs b/crypto/src/tls/KeyExchangeAlgorithm.cs

index 1dfa6db66..fdb2773f1 100644
--- a/crypto/src/tls/KeyExchangeAlgorithm.cs
+++ b/crypto/src/tls/KeyExchangeAlgorithm.cs
@@ -59,5 +59,18 @@ namespace Org.BouncyCastle.Tls
          * GMT 0024-2014
          */
         public const int SM2 = 25;
+
+        public static bool IsAnonymous(int keyExchangeAlgorithm)
+        {
+            switch (keyExchangeAlgorithm)
+            {
+            case DH_anon:
+            case DH_anon_EXPORT:
+            case ECDH_anon:
+                return true;
+            default:
+                return false;
+            }
+        }
     }
 }
diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs

index f32ecc2da..c90ef4109 100644
--- a/crypto/src/tls/TlsServerProtocol.cs
+++ b/crypto/src/tls/TlsServerProtocol.cs
@@ -953,7 +953,12 @@ namespace Org.BouncyCastle.Tls
 
                     this.m_keyExchange = TlsUtilities.InitKeyExchangeServer(m_tlsServerContext, m_tlsServer);
 
-                    TlsCredentials serverCredentials = TlsUtilities.EstablishServerCredentials(m_tlsServer);
+                    TlsCredentials serverCredentials = null;
+
+                    if (!KeyExchangeAlgorithm.IsAnonymous(securityParameters.KeyExchangeAlgorithm))
+                    {
+                        serverCredentials = TlsUtilities.EstablishServerCredentials(m_tlsServer);
+                    }
 
                     // Server certificate
                     {
diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs

index f6e509b7d..72ff92271 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -4799,8 +4799,11 @@ namespace Org.BouncyCastle.Tls
             MemoryStream buf)
         {
             SecurityParameters securityParameters = clientContext.SecurityParameters;
-            if (null != securityParameters.PeerCertificate)
+            if (KeyExchangeAlgorithm.IsAnonymous(securityParameters.KeyExchangeAlgorithm)
+                || null != securityParameters.PeerCertificate)
+            {
                 throw new TlsFatalAlert(AlertDescription.unexpected_message);
+            }
 
             MemoryStream endPointHash = new MemoryStream();