diff options
| -rw-r--r-- | src/client.c | 6 | ||||
| -rw-r--r-- | src/common.c | 46 | ||||
| -rw-r--r-- | src/common.h | 34 | ||||
| -rw-r--r-- | src/server_register.c | 10 | ||||
| -rw-r--r-- | tests/unsecure_anonymous/client.conf | 7 | ||||
| -rw-r--r-- | tests/unsecure_anonymous/server_lds.conf | 2 | ||||
| -rw-r--r-- | tests/unsecure_anonymous/server_register_client.conf | 6 |
7 files changed, 61 insertions, 50 deletions
diff --git a/src/client.c b/src/client.c index 4c02a57..3d22a4d 100644 --- a/src/client.c +++ b/src/client.c @@ -298,10 +298,8 @@ main (int argc, char **argv) } else { - UA_ClientConfig *cc = UA_Client_getConfig (client); - UA_ClientConfig_setDefault (cc); - UA_String_clear (&cc->clientDescription.applicationUri); - cc->clientDescription.applicationUri = UA_STRING_ALLOC (applicationUri); + createUnsecureClientConfig (UA_Client_getConfig (client), + applicationUri); } UA_Client_getConfig (client)->logging->context = (void *)(uintptr_t)logLevel; diff --git a/src/common.c b/src/common.c index 2c0cb87..67ea135 100644 --- a/src/common.c +++ b/src/common.c @@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index) UA_Server * createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, const char *keyPath, char **trustPaths, size_t trustSize, - UA_Boolean discoveryOnly, UA_StatusCode *retval) + UA_Boolean discovery, UA_StatusCode *retval) { UA_Server *server = UA_Server_new (); UA_ServerConfig *config = UA_Server_getConfig (server); @@ -360,23 +360,19 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, config, port, &certificate, &privateKey, trustList, trustSize, NULL, 0, NULL, 0); - /* Always add SecurityPolicy#None so that clients can open an - initial unencrypted SecureChannel for the GetEndpoints - handshake, then reconnect with the selected secure policy. - Restrict None channels to discovery services only so that - nobody can open a full session without encryption. - - When discoveryOnly is true (LDS) we also register a None - *endpoint* so that purely unencrypted clients can discover - the server — the open62541 client's internal endpoint - negotiation requires a matching endpoint in the - GetEndpoints response. */ - if (*retval == UA_STATUSCODE_GOOD) + /* When discovery is true (LDS) add SecurityPolicy#None + restricted to discovery services so that unencrypted clients + can still call FindServers / GetEndpoints. A matching None + endpoint is required because the open62541 client's internal + endpoint negotiation needs it in the GetEndpoints response. + + When discovery is false the server is purely secure — no + None security policy, no None endpoint. */ + if (*retval == UA_STATUSCODE_GOOD && discovery) { UA_ServerConfig_addSecurityPolicyNone (config, &certificate); - if (discoveryOnly) - UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI, - UA_MESSAGESECURITYMODE_NONE); + UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI, + UA_MESSAGESECURITYMODE_NONE); config->securityPolicyNoneDiscoveryOnly = true; } @@ -404,6 +400,24 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, } UA_StatusCode +createUnsecureClientConfig (UA_ClientConfig *cc, const char *applicationUri) +{ + UA_StatusCode retval = UA_ClientConfig_setDefault (cc); + if (retval != UA_STATUSCODE_GOOD) + return retval; + + UA_String_clear (&cc->clientDescription.applicationUri); + cc->clientDescription.applicationUri = UA_String_fromChars (applicationUri); + + cc->securityMode = UA_MESSAGESECURITYMODE_NONE; + UA_String_clear (&cc->securityPolicyUri); + cc->securityPolicyUri = UA_String_fromChars ( + "http://opcfoundation.org/UA/SecurityPolicy#None"); + + return UA_STATUSCODE_GOOD; +} + +UA_StatusCode createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri, const char *certPath, const char *keyPath, char **trustPaths, size_t trustSize, diff --git a/src/common.h b/src/common.h index 8c3c9d6..a531fc9 100644 --- a/src/common.h +++ b/src/common.h @@ -52,12 +52,14 @@ void freeTrustStore (char **paths, size_t size); * @brief Creates a UA_Server, optionally configured with security policies. * * When @p certPath is non-NULL the server is initialized with encryption - * (certificate, private key, trustlist). When @p discoveryOnly is true - * the server additionally offers SecurityPolicy#None restricted to - * discovery services (FindServers, GetEndpoints) so that unencrypted - * clients can still discover the server. When @p certPath is NULL the - * server runs with SecurityPolicy#None only (keyPath, trustPaths and - * discoveryOnly are ignored). The applicationUri is set in both cases. + * (certificate, private key, trustlist). When @p discovery is true the + * server additionally offers SecurityPolicy#None restricted to discovery + * services (FindServers, GetEndpoints) so that unencrypted clients can + * still discover the server. When @p discovery is false the server is + * purely secure — no None security policy, no None endpoint. When + * @p certPath is NULL the server runs with SecurityPolicy#None only + * (keyPath, trustPaths and discovery are ignored). The applicationUri + * is set in both cases. * * @param port Server port number. * @param applicationUri OPC UA application URI. @@ -65,15 +67,15 @@ void freeTrustStore (char **paths, size_t size); * @param keyPath Path to private key (.der), or NULL when certPath is NULL. * @param trustPaths Array of trustlist file paths (may be NULL). * @param trustSize Number of entries in trustPaths. - * @param discoveryOnly When true and certPath is non-NULL, add a None - * endpoint restricted to discovery services. + * @param discovery When true and certPath is non-NULL, add a None + * endpoint restricted to discovery services. * @param retval Output parameter set to the status code on failure. * @return A configured UA_Server, or NULL on error. */ UA_Server *createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, const char *keyPath, char **trustPaths, size_t trustSize, - UA_Boolean discoveryOnly, UA_StatusCode *retval); + UA_Boolean discovery, UA_StatusCode *retval); /** * @brief Parses a log-level name into the corresponding UA_LogLevel value. @@ -129,6 +131,20 @@ UA_MessageSecurityMode parseSecurityMode (const char *name); const char *resolveSecurityPolicyUri (const char *shortName); /** + * @brief Initializes a UA_ClientConfig without encryption. + * + * Sets up a default client config with SecurityPolicy#None and the given + * application URI. Explicitly sets securityMode and securityPolicyUri so + * that internal endpoint negotiation matches None endpoints. + * + * @param cc Pointer to a zero-initialized UA_ClientConfig. + * @param applicationUri OPC UA application URI. + * @return UA_STATUSCODE_GOOD on success, error code otherwise. + */ +UA_StatusCode createUnsecureClientConfig (UA_ClientConfig *cc, + const char *applicationUri); + +/** * @brief Initializes a UA_ClientConfig with encryption from file paths. * * The config must be zero-initialized by the caller before calling this diff --git a/src/server_register.c b/src/server_register.c index 44a4d49..8f23d1c 100644 --- a/src/server_register.c +++ b/src/server_register.c @@ -71,13 +71,7 @@ makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p) } else { - rv = UA_ClientConfig_setDefault (cc); - if (rv == UA_STATUSCODE_GOOD) - { - UA_String_clear (&cc->clientDescription.applicationUri); - cc->clientDescription.applicationUri - = UA_String_fromChars (p->appUri); - } + rv = createUnsecureClientConfig (cc, p->appUri); } if (rv != UA_STATUSCODE_GOOD) return rv; @@ -246,7 +240,7 @@ main (int argc, char **argv) UA_StatusCode retval; server = createServer ((UA_UInt16)port, applicationUri, serverCertPath, serverKeyPath, serverTrustPaths, serverTrustSize, - false, &retval); + true, &retval); if (!server) goto cleanup; diff --git a/tests/unsecure_anonymous/client.conf b/tests/unsecure_anonymous/client.conf index d93000e..c6fd6c9 100644 --- a/tests/unsecure_anonymous/client.conf +++ b/tests/unsecure_anonymous/client.conf @@ -1,14 +1,7 @@ # Client — test: unsecure_anonymous -# Has certs for encryption support (needed to negotiate with the secured -# LDS) but no securityMode/securityPolicy — lets the client auto-select -# the best available endpoint on each server. applicationUri = urn:localhost:bobink:Client -# certificate = certs/Client_cert.der -# privateKey = certs/Client_key.der -# trustStore = certs/trust/client -# securityMode = None securityPolicy = None diff --git a/tests/unsecure_anonymous/server_lds.conf b/tests/unsecure_anonymous/server_lds.conf index c5808bd..4ebbf33 100644 --- a/tests/unsecure_anonymous/server_lds.conf +++ b/tests/unsecure_anonymous/server_lds.conf @@ -1,5 +1,5 @@ # ServerLDS — test: unsecure_anonymous -# Secured LDS with discovery-only None endpoint. +# Unsecured LDS (no encryption). port = 14840 applicationUri = urn:localhost:bobink:ServerLDS diff --git a/tests/unsecure_anonymous/server_register_client.conf b/tests/unsecure_anonymous/server_register_client.conf index c2ae348..cae7fef 100644 --- a/tests/unsecure_anonymous/server_register_client.conf +++ b/tests/unsecure_anonymous/server_register_client.conf @@ -1,12 +1,8 @@ # ServerRegister client config — test: unsecure_anonymous -# Registers with the secured LDS over an encrypted channel. +# Registers with the LDS without encryption. applicationUri = urn:localhost:bobink:ServerRegister -certificate = certs/ServerRegisterClient_cert.der -privateKey = certs/ServerRegisterClient_key.der -trustStore = certs/trust/server_register_client - securityMode = None securityPolicy = None |