Extract createUnsecureClientConfig, fix None endpoint negotiation

UA_ClientConfig_setDefault leaves securityMode at SignAndEncrypt,
so unsecure clients failed endpoint negotiation when the LDS only
offered None endpoints.  Extract the unsecure client setup into
createUnsecureClientConfig() which explicitly sets securityMode and
securityPolicyUri to None.

Also enable discovery-only None endpoint on ServerRegister so
unencrypted clients can discover it, and update the unsecure_anonymous
test configs to run fully without encryption.

4 files changed, 59 insertions, 37 deletions

diff --git a/src/client.c b/src/client.c
index 4c02a57..3d22a4d 100644
--- a/src/client.c
+++ b/src/client.c
@@ -298,10 +298,8 @@ main (int argc, char **argv)
     }
   else
     {
-      UA_ClientConfig *cc = UA_Client_getConfig (client);
-      UA_ClientConfig_setDefault (cc);
-      UA_String_clear (&cc->clientDescription.applicationUri);
-      cc->clientDescription.applicationUri = UA_STRING_ALLOC (applicationUri);
+      createUnsecureClientConfig (UA_Client_getConfig (client),
+                                  applicationUri);
     }
 
   UA_Client_getConfig (client)->logging->context = (void *)(uintptr_t)logLevel;
diff --git a/src/common.c b/src/common.c
index 2c0cb87..67ea135 100644
--- a/src/common.c
+++ b/src/common.c
@@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index)
 UA_Server *
 createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
               const char *keyPath, char **trustPaths, size_t trustSize,
-              UA_Boolean discoveryOnly, UA_StatusCode *retval)
+              UA_Boolean discovery, UA_StatusCode *retval)
 {
   UA_Server *server = UA_Server_new ();
   UA_ServerConfig *config = UA_Server_getConfig (server);
@@ -360,23 +360,19 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
           config, port, &certificate, &privateKey, trustList, trustSize, NULL,
           0, NULL, 0);
 
-      /* Always add SecurityPolicy#None so that clients can open an
-         initial unencrypted SecureChannel for the GetEndpoints
-         handshake, then reconnect with the selected secure policy.
-         Restrict None channels to discovery services only so that
-         nobody can open a full session without encryption.
-
-         When discoveryOnly is true (LDS) we also register a None
-         *endpoint* so that purely unencrypted clients can discover
-         the server — the open62541 client's internal endpoint
-         negotiation requires a matching endpoint in the
-         GetEndpoints response. */
-      if (*retval == UA_STATUSCODE_GOOD)
+      /* When discovery is true (LDS) add SecurityPolicy#None
+         restricted to discovery services so that unencrypted clients
+         can still call FindServers / GetEndpoints.  A matching None
+         endpoint is required because the open62541 client's internal
+         endpoint negotiation needs it in the GetEndpoints response.
+
+         When discovery is false the server is purely secure — no
+         None security policy, no None endpoint. */
+      if (*retval == UA_STATUSCODE_GOOD && discovery)
         {
           UA_ServerConfig_addSecurityPolicyNone (config, &certificate);
-          if (discoveryOnly)
-            UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
-                                         UA_MESSAGESECURITYMODE_NONE);
+          UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
+                                       UA_MESSAGESECURITYMODE_NONE);
           config->securityPolicyNoneDiscoveryOnly = true;
         }
 
@@ -404,6 +400,24 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
 }
 
 UA_StatusCode
+createUnsecureClientConfig (UA_ClientConfig *cc, const char *applicationUri)
+{
+  UA_StatusCode retval = UA_ClientConfig_setDefault (cc);
+  if (retval != UA_STATUSCODE_GOOD)
+    return retval;
+
+  UA_String_clear (&cc->clientDescription.applicationUri);
+  cc->clientDescription.applicationUri = UA_String_fromChars (applicationUri);
+
+  cc->securityMode = UA_MESSAGESECURITYMODE_NONE;
+  UA_String_clear (&cc->securityPolicyUri);
+  cc->securityPolicyUri = UA_String_fromChars (
+      "http://opcfoundation.org/UA/SecurityPolicy#None");
+
+  return UA_STATUSCODE_GOOD;
+}
+
+UA_StatusCode
 createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri,
                           const char *certPath, const char *keyPath,
                           char **trustPaths, size_t trustSize,
diff --git a/src/common.h b/src/common.h
index 8c3c9d6..a531fc9 100644
--- a/src/common.h
+++ b/src/common.h
@@ -52,12 +52,14 @@ void freeTrustStore (char **paths, size_t size);
  * @brief Creates a UA_Server, optionally configured with security policies.
  *
  * When @p certPath is non-NULL the server is initialized with encryption
- * (certificate, private key, trustlist).  When @p discoveryOnly is true
- * the server additionally offers SecurityPolicy#None restricted to
- * discovery services (FindServers, GetEndpoints) so that unencrypted
- * clients can still discover the server.  When @p certPath is NULL the
- * server runs with SecurityPolicy#None only (keyPath, trustPaths and
- * discoveryOnly are ignored).  The applicationUri is set in both cases.
+ * (certificate, private key, trustlist).  When @p discovery is true the
+ * server additionally offers SecurityPolicy#None restricted to discovery
+ * services (FindServers, GetEndpoints) so that unencrypted clients can
+ * still discover the server.  When @p discovery is false the server is
+ * purely secure — no None security policy, no None endpoint.  When
+ * @p certPath is NULL the server runs with SecurityPolicy#None only
+ * (keyPath, trustPaths and discovery are ignored).  The applicationUri
+ * is set in both cases.
  *
  * @param port Server port number.
  * @param applicationUri OPC UA application URI.
@@ -65,15 +67,15 @@ void freeTrustStore (char **paths, size_t size);
  * @param keyPath Path to private key (.der), or NULL when certPath is NULL.
  * @param trustPaths Array of trustlist file paths (may be NULL).
  * @param trustSize Number of entries in trustPaths.
- * @param discoveryOnly When true and certPath is non-NULL, add a None
- *                      endpoint restricted to discovery services.
+ * @param discovery When true and certPath is non-NULL, add a None
+ *                  endpoint restricted to discovery services.
  * @param retval Output parameter set to the status code on failure.
  * @return A configured UA_Server, or NULL on error.
  */
 UA_Server *createServer (UA_UInt16 port, const char *applicationUri,
                          const char *certPath, const char *keyPath,
                          char **trustPaths, size_t trustSize,
-                         UA_Boolean discoveryOnly, UA_StatusCode *retval);
+                         UA_Boolean discovery, UA_StatusCode *retval);
 
 /**
  * @brief Parses a log-level name into the corresponding UA_LogLevel value.
@@ -129,6 +131,20 @@ UA_MessageSecurityMode parseSecurityMode (const char *name);
 const char *resolveSecurityPolicyUri (const char *shortName);
 
 /**
+ * @brief Initializes a UA_ClientConfig without encryption.
+ *
+ * Sets up a default client config with SecurityPolicy#None and the given
+ * application URI.  Explicitly sets securityMode and securityPolicyUri so
+ * that internal endpoint negotiation matches None endpoints.
+ *
+ * @param cc Pointer to a zero-initialized UA_ClientConfig.
+ * @param applicationUri OPC UA application URI.
+ * @return UA_STATUSCODE_GOOD on success, error code otherwise.
+ */
+UA_StatusCode createUnsecureClientConfig (UA_ClientConfig *cc,
+                                          const char *applicationUri);
+
+/**
  * @brief Initializes a UA_ClientConfig with encryption from file paths.
  *
  * The config must be zero-initialized by the caller before calling this
diff --git a/src/server_register.c b/src/server_register.c
index 44a4d49..8f23d1c 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -71,13 +71,7 @@ makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p)
     }
   else
     {
-      rv = UA_ClientConfig_setDefault (cc);
-      if (rv == UA_STATUSCODE_GOOD)
-        {
-          UA_String_clear (&cc->clientDescription.applicationUri);
-          cc->clientDescription.applicationUri
-              = UA_String_fromChars (p->appUri);
-        }
+      rv = createUnsecureClientConfig (cc, p->appUri);
     }
   if (rv != UA_STATUSCODE_GOOD)
     return rv;
@@ -246,7 +240,7 @@ main (int argc, char **argv)
   UA_StatusCode retval;
   server = createServer ((UA_UInt16)port, applicationUri, serverCertPath,
                          serverKeyPath, serverTrustPaths, serverTrustSize,
-                         false, &retval);
+                         true, &retval);
   if (!server)
     goto cleanup;