From 99b5b4416193fafaa815746ea756900d2ab26917 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 15:39:29 +0100
Subject: Make client/server encryption optional, rename tests to full names

Make encryption optional for both ServerRegister's LDS client
connection and the server side of ServerLDS/ServerRegister: when
certificate, privateKey, and trustStore are omitted the programs
run with SecurityPolicy#None only.  Secure servers also add a
discovery-only None endpoint so unencrypted clients can still call
FindServers and GetEndpoints.

Consolidate tests from 5 policy-specific cases (nosec_anon,
none_user, basic256sha256_anon, aes256_anon, aes128_user) down to
3 that cover the important axes: unsecure_anonymous,
secure_anonymous, secure_user.  Rename directories to use full
names.  Auto-generate certificates and trust stores in run_test.sh.

Update readme and CLAUDE.md to reflect the current program
interface (unified Client binary, split ServerRegister configs)
and the new test names.
---
 src/server_register.c | 111 +++++++++++++++++++++++++++++++++-----------------
 1 file changed, 73 insertions(+), 38 deletions(-)

(limited to 'src/server_register.c')

diff --git a/src/server_register.c b/src/server_register.c
index ec5045f..817169f 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -62,9 +62,23 @@ static UA_StatusCode
 makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p)
 {
   memset (cc, 0, sizeof (UA_ClientConfig));
-  UA_StatusCode rv = createSecureClientConfig (
-      cc, p->appUri, p->certPath, p->keyPath, p->trustPaths, p->trustSize,
-      p->securityMode, p->securityPolicyUri);
+  UA_StatusCode rv;
+  if (p->certPath)
+    {
+      rv = createSecureClientConfig (cc, p->appUri, p->certPath, p->keyPath,
+                                     p->trustPaths, p->trustSize,
+                                     p->securityMode, p->securityPolicyUri);
+    }
+  else
+    {
+      rv = UA_ClientConfig_setDefault (cc);
+      if (rv == UA_STATUSCODE_GOOD)
+        {
+          UA_String_clear (&cc->clientDescription.applicationUri);
+          cc->clientDescription.applicationUri
+              = UA_String_fromChars (p->appUri);
+        }
+    }
   if (rv != UA_STATUSCODE_GOOD)
     return rv;
   cc->logging->context = (void *)(uintptr_t)p->logLevel;
@@ -165,33 +179,60 @@ main (int argc, char **argv)
 
   const char *clientAppUri
       = configRequire (&clientCfg, "applicationUri", "ServerRegister");
-  const char *clientCertPath
-      = configRequire (&clientCfg, "certificate", "ServerRegister");
-  const char *clientKeyPath
-      = configRequire (&clientCfg, "privateKey", "ServerRegister");
-  const char *securityModeStr
-      = configRequire (&clientCfg, "securityMode", "ServerRegister");
-  const char *securityPolicyStr
-      = configRequire (&clientCfg, "securityPolicy", "ServerRegister");
-
-  if (!clientAppUri || !clientCertPath || !clientKeyPath || !securityModeStr
-      || !securityPolicyStr)
+  if (!clientAppUri)
     goto cleanup;
 
-  UA_MessageSecurityMode securityMode = parseSecurityMode (securityModeStr);
-  if (securityMode == UA_MESSAGESECURITYMODE_INVALID)
+  /* Security configuration (optional).  When certificate, privateKey, and
+     trustStore are all omitted the client connects without encryption.
+     When any of the three is present, all three are required. */
+  const char *clientCertPath = configGet (&clientCfg, "certificate");
+  const char *clientKeyPath = configGet (&clientCfg, "privateKey");
+  const char *clientTrustStore = configGet (&clientCfg, "trustStore");
+  UA_Boolean clientSecure = (clientCertPath != NULL || clientKeyPath != NULL
+                             || clientTrustStore != NULL);
+
+  if (clientSecure && (!clientCertPath || !clientKeyPath || !clientTrustStore))
     {
       UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                    "Unknown security mode: %s", securityModeStr);
+                    "Incomplete client security config: certificate, "
+                    "privateKey, and trustStore must all be set, or all "
+                    "omitted");
       goto cleanup;
     }
 
-  const char *securityPolicyUri = resolveSecurityPolicyUri (securityPolicyStr);
-  if (!securityPolicyUri)
+  UA_MessageSecurityMode securityMode = UA_MESSAGESECURITYMODE_NONE;
+  const char *securityPolicyUri
+      = "http://opcfoundation.org/UA/SecurityPolicy#None";
+
+  if (clientSecure)
     {
-      UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                    "Unknown security policy: %s", securityPolicyStr);
-      goto cleanup;
+      const char *securityModeStr
+          = configRequire (&clientCfg, "securityMode", "ServerRegister");
+      const char *securityPolicyStr
+          = configRequire (&clientCfg, "securityPolicy", "ServerRegister");
+      if (!securityModeStr || !securityPolicyStr)
+        goto cleanup;
+
+      securityMode = parseSecurityMode (securityModeStr);
+      if (securityMode == UA_MESSAGESECURITYMODE_INVALID)
+        {
+          UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                        "Unknown security mode: %s", securityModeStr);
+          goto cleanup;
+        }
+
+      securityPolicyUri = resolveSecurityPolicyUri (securityPolicyStr);
+      if (!securityPolicyUri)
+        {
+          UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                        "Unknown security policy: %s", securityPolicyStr);
+          goto cleanup;
+        }
+
+      if (loadTrustStore (clientTrustStore, &clientTrustPaths,
+                          &clientTrustSize)
+          != 0)
+        goto cleanup;
     }
 
   const char *clientUsername = NULL, *clientPassword = NULL;
@@ -200,15 +241,6 @@ main (int argc, char **argv)
       != 0)
     goto cleanup;
 
-  const char *clientTrustStore
-      = configRequire (&clientCfg, "trustStore", "ServerRegister");
-  if (!clientTrustStore)
-    goto cleanup;
-
-  if (loadTrustStore (clientTrustStore, &clientTrustPaths, &clientTrustSize)
-      != 0)
-    goto cleanup;
-
   /* ── Create and configure server ────────────────────────────── */
 
   UA_StatusCode retval;
@@ -221,19 +253,22 @@ main (int argc, char **argv)
   UA_ServerConfig *serverConfig = UA_Server_getConfig (server);
   serverConfig->logging->context = (void *)(uintptr_t)logLevel;
 
-  /* Configure access control after server creation because both
-     UA_ServerConfig_setDefaultWithSecurityPolicies and
-     UA_ServerConfig_setMinimal reset the access control plugin.  The
-     credential list is deep-copied by UA_AccessControl_default. */
-  if (!serverAllowAnonymous)
+  /* Configure access control.  UA_ServerConfig_setDefaultWithSecure-
+     SecurityPolicies sets certificate-only auth by default, so we must
+     always call UA_AccessControl_default to get the desired policy. */
+  if (serverAllowAnonymous)
+    {
+      retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
+    }
+  else
     {
       UA_UsernamePasswordLogin logins[1];
       logins[0].username = UA_STRING ((char *)serverUsername);
       logins[0].password = UA_STRING ((char *)serverPassword);
       retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
-      if (retval != UA_STATUSCODE_GOOD)
-        goto cleanup;
     }
+  if (retval != UA_STATUSCODE_GOOD)
+    goto cleanup;
 
   serverConfig->applicationDescription.applicationType
       = UA_APPLICATIONTYPE_SERVER;
-- 
cgit v1.2.3