Extract createUnsecureClientConfig, fix None endpoint negotiation

UA_ClientConfig_setDefault leaves securityMode at SignAndEncrypt,
so unsecure clients failed endpoint negotiation when the LDS only
offered None endpoints.  Extract the unsecure client setup into
createUnsecureClientConfig() which explicitly sets securityMode and
securityPolicyUri to None.

Also enable discovery-only None endpoint on ServerRegister so
unencrypted clients can discover it, and update the unsecure_anonymous
test configs to run fully without encryption.

1 files changed, 30 insertions, 16 deletions

diff --git a/src/common.c b/src/common.c
index 2c0cb87..67ea135 100644
--- a/src/common.c
+++ b/src/common.c
@@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index)
 UA_Server *
 createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
               const char *keyPath, char **trustPaths, size_t trustSize,
-              UA_Boolean discoveryOnly, UA_StatusCode *retval)
+              UA_Boolean discovery, UA_StatusCode *retval)
 {
   UA_Server *server = UA_Server_new ();
   UA_ServerConfig *config = UA_Server_getConfig (server);
@@ -360,23 +360,19 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
           config, port, &certificate, &privateKey, trustList, trustSize, NULL,
           0, NULL, 0);
 
-      /* Always add SecurityPolicy#None so that clients can open an
-         initial unencrypted SecureChannel for the GetEndpoints
-         handshake, then reconnect with the selected secure policy.
-         Restrict None channels to discovery services only so that
-         nobody can open a full session without encryption.
-
-         When discoveryOnly is true (LDS) we also register a None
-         *endpoint* so that purely unencrypted clients can discover
-         the server — the open62541 client's internal endpoint
-         negotiation requires a matching endpoint in the
-         GetEndpoints response. */
-      if (*retval == UA_STATUSCODE_GOOD)
+      /* When discovery is true (LDS) add SecurityPolicy#None
+         restricted to discovery services so that unencrypted clients
+         can still call FindServers / GetEndpoints.  A matching None
+         endpoint is required because the open62541 client's internal
+         endpoint negotiation needs it in the GetEndpoints response.
+
+         When discovery is false the server is purely secure — no
+         None security policy, no None endpoint. */
+      if (*retval == UA_STATUSCODE_GOOD && discovery)
         {
           UA_ServerConfig_addSecurityPolicyNone (config, &certificate);
-          if (discoveryOnly)
-            UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
-                                         UA_MESSAGESECURITYMODE_NONE);
+          UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
+                                       UA_MESSAGESECURITYMODE_NONE);
           config->securityPolicyNoneDiscoveryOnly = true;
         }
 
@@ -404,6 +400,24 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
 }
 
 UA_StatusCode
+createUnsecureClientConfig (UA_ClientConfig *cc, const char *applicationUri)
+{
+  UA_StatusCode retval = UA_ClientConfig_setDefault (cc);
+  if (retval != UA_STATUSCODE_GOOD)
+    return retval;
+
+  UA_String_clear (&cc->clientDescription.applicationUri);
+  cc->clientDescription.applicationUri = UA_String_fromChars (applicationUri);
+
+  cc->securityMode = UA_MESSAGESECURITYMODE_NONE;
+  UA_String_clear (&cc->securityPolicyUri);
+  cc->securityPolicyUri = UA_String_fromChars (
+      "http://opcfoundation.org/UA/SecurityPolicy#None");
+
+  return UA_STATUSCODE_GOOD;
+}
+
+UA_StatusCode
 createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri,
                           const char *certPath, const char *keyPath,
                           char **trustPaths, size_t trustSize,